Skip to main content

Linux CVE-2026-23452

| EUVDEUVD-2026-18704 MEDIUM
Race Condition (CWE-362)
2026-04-03 Linux GHSA-vxcm-6fmh-2q7q
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
May 26, 2026 - 15:07 NVD
4.7 (MEDIUM)
Patch available
Apr 16, 2026 - 05:29 EUVD
29ab768277617452d88c0607c9299cdc63b6e9ff,39f2d86f2ddde8d1beda05732f30c7cd945e0b5a,5649b46af8b167259e8a8e4e7eb3667ce74554b5
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18704
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:15 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

PM: runtime: Fix a race condition related to device removal

The following code in pm_runtime_work() may dereference the dev->parent pointer after the parent device has been freed:

/* Maybe the parent is now able to suspend. */ if (parent && !parent->power.ignore_children) { spin_unlock(&dev->power.lock);

spin_lock(&parent->power.lock); rpm_idle(parent, RPM_ASYNC); spin_unlock(&parent->power.lock);

spin_lock(&dev->power.lock); }

Fix this by inserting a flush_work() call in pm_runtime_remove().

Without this patch blktest block/001 triggers the following complaint sporadically:

BUG: KASAN: slab-use-after-free in lock_acquire+0x70/0x160 Read of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081 Workqueue: pm pm_runtime_work Call Trace: <TASK> dump_stack_lvl+0x61/0x80 print_address_description.constprop.0+0x8b/0x310 print_report+0xfd/0x1d7 kasan_report+0xd8/0x1d0 __kasan_check_byte+0x42/0x60 lock_acquire.part.0+0x38/0x230 lock_acquire+0x70/0x160 _raw_spin_lock+0x36/0x50 rpm_suspend+0xc6a/0xfe0 rpm_idle+0x578/0x770 pm_runtime_work+0xee/0x120 process_one_work+0xde3/0x1410 worker_thread+0x5eb/0xfe0 kthread+0x37b/0x480 ret_from_fork+0x6cb/0x920 ret_from_fork_asm+0x11/0x20 </TASK>

Allocated by task 4314: kasan_save_stack+0x2a/0x50 kasan_save_track+0x18/0x40 kasan_save_alloc_info+0x3d/0x50 __kasan_kmalloc+0xa0/0xb0 __kmalloc_noprof+0x311/0x990 scsi_alloc_target+0x122/0xb60 [scsi_mod] __scsi_scan_target+0x101/0x460 [scsi_mod] scsi_scan_channel+0x179/0x1c0 [scsi_mod] scsi_scan_host_selected+0x259/0x2d0 [scsi_mod] store_scan+0x2d2/0x390 [scsi_mod] dev_attr_store+0x43/0x80 sysfs_kf_write+0xde/0x140 kernfs_fop_write_iter+0x3ef/0x670 vfs_write+0x506/0x1470 ksys_write+0xfd/0x230 __x64_sys_write+0x76/0xc0 x64_sys_call+0x213/0x1810 do_syscall_64+0xee/0xfc0 entry_SYSCALL_64_after_hwframe+0x4b/0x53

Freed by task 4314: kasan_save_stack+0x2a/0x50 kasan_save_track+0x18/0x40 kasan_save_free_info+0x3f/0x50 __kasan_slab_free+0x67/0x80 kfree+0x225/0x6c0 scsi_target_dev_release+0x3d/0x60 [scsi_mod] device_release+0xa3/0x220 kobject_cleanup+0x105/0x3a0 kobject_put+0x72/0xd0 put_device+0x17/0x20 scsi_device_dev_release+0xacf/0x12c0 [scsi_mod] device_release+0xa3/0x220 kobject_cleanup+0x105/0x3a0 kobject_put+0x72/0xd0 put_device+0x17/0x20 scsi_device_put+0x7f/0xc0 [scsi_mod] sdev_store_delete+0xa5/0x120 [scsi_mod] dev_attr_store+0x43/0x80 sysfs_kf_write+0xde/0x140 kernfs_fop_write_iter+0x3ef/0x670 vfs_write+0x506/0x1470 ksys_write+0xfd/0x230 __x64_sys_write+0x76/0xc0 x64_sys_call+0x213/0x1810

AnalysisAI

Linux kernel runtime PM subsystem contains a use-after-free race condition in pm_runtime_work() where the dev->parent pointer may be dereferenced after the parent device has been freed during device removal. This results in a KASAN-detectable memory safety violation that can trigger kernel panics or arbitrary memory access. The vulnerability affects all Linux kernel versions and is resolved by adding a flush_work() call to pm_runtime_remove() to serialize device removal with pending runtime PM work.

Technical ContextAI

The vulnerability exists in the Linux kernel's Runtime Power Management (PM) subsystem, specifically in the pm_runtime_work() function which processes asynchronous runtime PM state changes via workqueue. When a parent device is removed while a child device has pending runtime PM work queued, the work function may read dev->parent after the parent has been freed and its memory reclaimed. This is a classic use-after-free race condition where the parent device pointer is accessed without proper synchronization against concurrent device removal operations. The fix introduces a flush_work() barrier in pm_runtime_remove() to ensure all pending pm_runtime_work() instances complete before device removal proceeds, preventing the race window. CWE classification appears related to CWE-416 (use-after-free) though not explicitly provided.

RemediationAI

Apply the upstream fix by cherry-picking or rebasing to include commit 5649b46af8b167259e8a8e4e7eb3667ce74554b5 and corresponding stable branch patches (see references). The fix adds flush_work(&dev->power.work) in pm_runtime_remove() to serialize device removal with pending pm_runtime_work() completions. Kernel distributions should backport this fix to all actively maintained stable branches (6.1.x, 6.6.x, 6.9.x, 6.10.x, and earlier LTS versions). Operators of systems with active device hotplug, SCSI target scanning, or high device churn should prioritize updating to a patched kernel version. The commit hash 5649b46af8b167259e8a8e4e7eb3667ce74554b5 can be verified at https://git.kernel.org/stable/c/5649b46af8b167259e8a8e4e7eb3667ce74554b5.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
Container suse/sl-micro/6.0/base-os-container:2.1.3-7.145 Container suse/sl-micro/6.1/base-os-container:2.2.1-5.132 Affected
Container suse/sl-micro/6.0/kvm-os-container:2.1.3-6.162 Container suse/sl-micro/6.1/kvm-os-container:2.2.1-5.132 Affected
Container suse/sl-micro/6.0/rt-os-container:2.1.3-7.176 Container suse/sl-micro/6.1/rt-os-container:2.2.1-5.125 Affected
Image SLES-Azure-Basic Image SLES-EC2 Image SLES-Hardened-BYOS-Azure Image SLES-SAPCAL-Azure Affected
SUSE Linux Micro 6.2 Fixed

Share

CVE-2026-23452 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy