Skip to main content

Linux Kernel CVE-2026-43147

| EUVDEUVD-2026-27707 MEDIUM
Improper Locking (CWE-667)
2026-05-06 Linux GHSA-5c36-jx4m-m84f
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 10:37 vuln.today
CVSS changed
May 13, 2026 - 20:22 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:27 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

Revert "PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV"

This reverts commit 05703271c3cd ("PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV"), which causes a deadlock by recursively taking pci_rescan_remove_lock when sriov_del_vfs() is called as part of pci_stop_and_remove_bus_device(). For example with the following sequence of commands:

$ echo <NUM> > /sys/bus/pci/devices/<pf>/sriov_numvfs $ echo 1 > /sys/bus/pci/devices/<pf>/remove

A trimmed trace of the deadlock on a mlx5 device is as below:

zsh/5715 is trying to acquire lock: 000002597926ef50 (pci_rescan_remove_lock){+.+.}-{3:3}, at: sriov_disable+0x34/0x140

but task is already holding lock: 000002597926ef50 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_stop_and_remove_bus_device_locked+0x24/0x80 ... Call Trace: [<00000259778c4f90>] dump_stack_lvl+0xc0/0x110 [<00000259779c844e>] print_deadlock_bug+0x31e/0x330 [<00000259779c1908>] __lock_acquire+0x16c8/0x32f0 [<00000259779bffac>] lock_acquire+0x14c/0x350 [<00000259789643a6>] __mutex_lock_common+0xe6/0x1520 [<000002597896413c>] mutex_lock_nested+0x3c/0x50 [<00000259784a07e4>] sriov_disable+0x34/0x140 [<00000258f7d6dd80>] mlx5_sriov_disable+0x50/0x80 [mlx5_core] [<00000258f7d5745e>] remove_one+0x5e/0xf0 [mlx5_core] [<00000259784857fc>] pci_device_remove+0x3c/0xa0 [<000002597851012e>] device_release_driver_internal+0x18e/0x280 [<000002597847ae22>] pci_stop_bus_device+0x82/0xa0 [<000002597847afce>] pci_stop_and_remove_bus_device_locked+0x5e/0x80 [<00000259784972c2>] remove_store+0x72/0x90 [<0000025977e6661a>] kernfs_fop_write_iter+0x15a/0x200 [<0000025977d7241c>] vfs_write+0x24c/0x300 [<0000025977d72696>] ksys_write+0x86/0x110 [<000002597895b61c>] __do_syscall+0x14c/0x400 [<000002597896e0ee>] system_call+0x6e/0x90

This alone is not a complete fix as it restores the issue the cited commit tried to solve. A new fix will be provided as a follow on.

AnalysisAI

Deadlock in the Linux Kernel PCI/IOV SR-IOV subsystem allows a local low-privileged user to trigger a kernel hang via a recursive mutex acquisition, resulting in a complete denial of service on the affected host. The root cause is commit 05703271c3cd, which added pci_rescan_remove_lock around SR-IOV enable/disable operations without accounting for the re-entrant path where sriov_del_vfs() is invoked from within pci_stop_and_remove_bus_device_locked(), which already holds the same lock. No public exploit has been identified at time of analysis, and EPSS probability is negligible at 0.02%, consistent with the local-only attack vector.

Technical ContextAI

The vulnerability resides in the Linux Kernel PCI/IOV subsystem (CPE: cpe:2.3:a:linux:linux). SR-IOV (Single Root I/O Virtualization) is a PCI Express feature allowing a single physical function (PF) to present multiple virtual functions (VFs) to the OS. The affected code path involves pci_rescan_remove_lock, a mutex serializing PCI bus rescan and device removal operations. Commit 05703271c3cd introduced this lock in the sriov_enable/sriov_disable paths to prevent races during SR-IOV toggling. However, it failed to account for the recursive lock acquisition scenario: when a user writes '1' to /sys/bus/pci/devices/<pf>/remove, pci_stop_and_remove_bus_device_locked() acquires pci_rescan_remove_lock, then calls into the driver's remove_one callback (mlx5_sriov_disable in the traced example), which calls sriov_disable(), which attempts to re-acquire the same non-reentrant mutex - causing a classic ABBA deadlock. CWE-667 (Improper Locking) precisely describes this: a mutex used without proper consideration of recursive/nested acquisition paths. The CVE description explicitly notes that reverting 05703271c3cd is not a complete fix, and a follow-on patch is required to address the original race condition that 05703271c3cd attempted to solve.

RemediationAI

Upgrade to a patched Linux Kernel release: 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, or 7.0, depending on the stable branch in use. Upstream revert commits are available at https://git.kernel.org/stable/c/83651d37474c762920e345a3a0828f975ca4d732 (and corresponding per-branch commits at the additional reference URLs provided). Red Hat and SUSE users should monitor their respective errata channels for distribution-specific kernel updates. If immediate patching is not possible, the primary compensating control is to restrict write access to the SR-IOV sysfs attributes (/sys/bus/pci/devices/<pf>/sriov_numvfs and /sys/bus/pci/devices/<pf>/remove) to only trusted administrators, reducing exposure on multi-tenant or shared systems. Alternatively, disabling SR-IOV entirely at the BIOS/UEFI level eliminates the vulnerable code path entirely, though this trade-off impacts VF-based workloads. Note: the CVE description explicitly states the revert is not a complete fix - a follow-on patch addressing the original race condition will be required; track kernel stable tree updates for that subsequent commit.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43147 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy