Skip to main content

Linux Kernel CVE-2026-45855

| EUVDEUVD-2026-32321 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-45fm-cfrr-xr5q
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

AC:H better reflects the required combination of multi-queue hardware and sustained NCQ workload; all other metrics align with vendor scoring.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 21:24 vuln.today
CVSS changed
Jun 25, 2026 - 21:22 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:16 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ata: libata-scsi: avoid Non-NCQ command starvation

When a non-NCQ command is issued while NCQ commands are being executed, ata_scsi_qc_issue() indicates to the SCSI layer that the command issuing should be deferred by returning SCSI_MLQUEUE_XXX_BUSY. This command deferring is correct and as mandated by the ACS specifications since NCQ and non-NCQ commands cannot be mixed.

However, in the case of a host adapter using multiple submission queues, when the target device is under a constant load of NCQ commands, there are no guarantees that requeueing the non-NCQ command will be executed later and it may be deferred again repeatedly as other submission queues can constantly issue NCQ commands from different CPUs ahead of the non-NCQ command. This can lead to very long delays for the execution of non-NCQ commands, and even complete starvation for these commands in the worst case scenario.

Since the block layer and the SCSI layer do not distinguish between queueable (NCQ) and non queueable (non-NCQ) commands, libata-scsi SAT implementation must ensure forward progress for non-NCQ commands in the presence of NCQ command traffic. This is similar to what SAS HBAs with a hardware/firmware based SAT implementation do.

Implement such forward progress guarantee by limiting requeueing of non-NCQ commands from ata_scsi_qc_issue(): when a non-NCQ command is received and NCQ commands are in-flight, do not force a requeue of the non-NCQ command by returning SCSI_MLQUEUE_XXX_BUSY and instead return 0 to indicate that the command was accepted but hold on to the qc using the new deferred_qc field of struct ata_port.

This deferred qc will be issued using the work item deferred_qc_work running the function ata_scsi_deferred_qc_work() once all in-flight commands complete, which is checked with the port qc_defer() callback return value indicating that no further delay is necessary. This check is done using the helper function ata_scsi_schedule_deferred_qc() which is called from ata_scsi_qc_complete(). This thus excludes this mechanism from all internal non-NCQ commands issued by ATA EH.

When a port deferred_qc is non NULL, that is, the port has a command waiting for the device queue to drain, the issuing of all incoming commands (both NCQ and non-NCQ) is deferred using the regular busy mechanism. This simplifies the code and also avoids potential denial of service problems if a user issues too many non-NCQ commands.

Finally, whenever ata EH is scheduled, regardless of the reason, a deferred qc is always requeued so that it can be retried once EH completes. This is done by calling the function ata_scsi_requeue_deferred_qc() from ata_eh_set_pending(). This avoids the need for any special processing for the deferred qc in case of NCQ error, link or device reset, or device timeout.

AnalysisAI

Non-NCQ command starvation in the Linux kernel's libata-scsi layer can cause complete denial of service for certain disk I/O operations on systems using multi-queue ATA host adapters. On affected hardware, when a target storage device is under sustained NCQ (Native Command Queuing) traffic, the SCSI layer's SCSI_MLQUEUE_XXX_BUSY requeue mechanism provides no forward-progress guarantees for non-NCQ commands - other CPU cores can continuously inject new NCQ commands from separate submission queues, indefinitely deferring the non-NCQ command. No public exploit has been identified at time of analysis and EPSS probability is very low (0.02%, 5th percentile), but the bug can manifest naturally under heavy I/O workloads without deliberate exploitation.

Technical ContextAI

The Linux kernel's libata-scsi subsystem implements the SCSI-ATA Translation (SAT) layer that bridges the SCSI command set (used by the block and SCSI layers) to ATA command protocols. ACS (ATA Command Set) specifications prohibit mixing NCQ commands (FPDMA QUEUED, implemented in modern SATA drives) with non-NCQ commands on a shared command queue. When a non-NCQ command arrives while NCQ commands are in-flight, ata_scsi_qc_issue() historically returned SCSI_MLQUEUE_XXX_BUSY, instructing the SCSI layer to requeue the command. On host adapters with a single submission queue this is safe, but on multi-queue adapters (common in modern NVMe-style or high-performance SATA controllers), each CPU core has its own submission queue. There is no priority mechanism preventing other queues from continuously issuing new NCQ commands, causing the requeued non-NCQ command to be perpetually delayed. The affected CPE is cpe:2.3:o:linux:linux_kernel across multiple stable branches. No CWE is assigned by NVD, but this is best characterized as a scheduling fairness/resource starvation flaw in the command arbitration logic.

RemediationAI

The primary fix is to upgrade to a patched Linux kernel stable release: 6.19.4, 6.18.14, or 6.12.77, depending on the stable branch in use. The upstream fix commits are available at https://git.kernel.org/stable/c/0ea84089dbf62a92dc7889c79e6b18fc89260808, https://git.kernel.org/stable/c/5d61a38a60e62750526d94663b69b7ac5c7f07a5, https://git.kernel.org/stable/c/888cd7e40adb2ef4af1b4d3b6e2e83ad409ae8c2, and https://git.kernel.org/stable/c/ce22aaed011206fed9cbd8c9c2d44718607f31ee. For systems that cannot be immediately patched, a practical compensating control is to limit or serialize ATA workloads using I/O scheduler configuration (e.g., switching to the 'mq-deadline' scheduler for affected block devices via /sys/block/<dev>/queue/scheduler), which can provide more deterministic queue ordering and reduce starvation risk - though this may reduce peak throughput. Restricting multi-queue depth for the affected adapter via libata module parameters is another option but requires kernel module reload. Patch application from distribution vendors (RHEL, Ubuntu, SUSE, Debian) should be monitored as they backport to their respective kernel trees.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

CVE-2026-45855 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy