Skip to main content

Linux Kernel CVE-2026-45895

| EUVDEUVD-2026-32361 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-c6wv-8c38-r975
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access and low-privilege quota commands required; no confidentiality or integrity impact, only availability via livelock-induced hang.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 21:33 vuln.today
CVSS changed
Jun 25, 2026 - 21:22 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

quota: fix livelock between quotactl and freeze_super

When a filesystem is frozen, quotactl_block() enters a retry loop waiting for the filesystem to thaw. It acquires s_umount, checks the freeze state, drops s_umount and uses sb_start_write() - sb_end_write() pair to wait for the unfreeze.

However, this retry loop can trigger a livelock issue, specifically on kernels with preemption disabled.

The mechanism is as follows:

  1. freeze_super() sets SB_FREEZE_WRITE and calls sb_wait_write().
  2. sb_wait_write() calls percpu_down_write(), which initiates

synchronize_rcu().

  1. Simultaneously, quotactl_block() spins in its retry loop, immediately

executing the sb_start_write() - sb_end_write() pair.

  1. Because the kernel is non-preemptible and the loop contains no

scheduling points, quotactl_block() never yields the CPU. This prevents that CPU from reaching an RCU quiescent state.

  1. synchronize_rcu() in the freezer thread waits indefinitely for the

quotactl_block() CPU to report a quiescent state.

  1. quotactl_block() spins indefinitely waiting for the freezer to

advance, which it cannot do as it is blocked on the RCU sync.

This results in a hang of the freezer process and 100% CPU usage by the quota process.

While this can occur intermittently on multi-core systems, it is reliably reproducing on a node with the following script, running both the freezer and the quota toggle on the same CPU:

mkfs.ext4 -O quota /dev/sda 2g && mkdir a_mount

mount /dev/sda -o quota,usrquota,grpquota a_mount

taskset -c 3 bash -c "while true; do xfs_freeze -f a_mount; \

xfs_freeze -u a_mount; done" &

taskset -c 3 bash -c "while true; do quotaon a_mount; \

quotaoff a_mount; done" &

Adding cond_resched() to the retry loop fixes the issue. It acts as an RCU quiescent state, allowing synchronize_rcu() in percpu_down_write() to complete.

AnalysisAI

Linux Kernel quota subsystem livelocks the system when quotactl_block() and freeze_super() execute concurrently on non-preemptible kernels, causing 100% CPU consumption and an indefinite hang of the filesystem freeze process. The root cause is a missing scheduling point in quotactl_block()'s retry loop: on kernels with preemption disabled, the spinning loop never yields the CPU, starving synchronize_rcu() of the RCU quiescent state it needs to advance, which in turn blocks freeze_super() from completing. Affected are Linux kernel versions from commit 576215cffdefc1f0ceebffd87abb390926e6b037 onward, on systems using quota-enabled filesystems; no public exploit or active exploitation has been identified at time of analysis.

Technical ContextAI

The vulnerability resides in the Linux kernel's quota subsystem (fs/quota/quota.c), specifically in the quotactl_block() path. When a filesystem is frozen via freeze_super(), the freeze sets SB_FREEZE_WRITE and calls sb_wait_write(), which internally calls percpu_down_write() triggering synchronize_rcu() - a function that waits for all CPUs to pass through an RCU quiescent state. Simultaneously, quotactl_block() loops on s_umount, checking freeze state and immediately cycling through sb_start_write()/sb_end_write() without any cond_resched() call. On non-preemptible kernel builds (CONFIG_PREEMPT=n or PREEMPT_NONE), there are no implicit scheduling points inserted by the compiler, so the spinning CPU never yields, never reaches an RCU quiescent state, and synchronize_rcu() in the freezer thread deadlocks. The CWE is not formally assigned, but this is a livelock/concurrency defect - logically closest to CWE-833 (Deadlock) or CWE-835 (Loop with Unreachable Exit Condition). CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*. Note: the 'Information Disclosure' tag in the source intelligence appears to be a mislabeling - the CVSS vector correctly reflects an Availability-only impact (A:H, C:N, I:N).

RemediationAI

The primary fix is upgrading to a patched Linux kernel stable release: 6.6.128, 6.12.75, 6.18.14, 6.19.4, or 7.0, as confirmed by EUVD. The upstream patch adds a cond_resched() call inside the quotactl_block() retry loop, providing an explicit RCU quiescent state and scheduling point that resolves the livelock. Distributions shipping affected kernel versions (Debian, Ubuntu, RHEL, SUSE) should be expected to backport these stable commits. As a compensating control where immediate kernel upgrade is not feasible, operators can avoid running filesystem freeze operations (xfs_freeze, LVM snapshots, fsfreeze) concurrently with quota management scripts on the same CPU affinity domain - separating these workloads via taskset or cgroups eliminates the reliable trigger path, though intermittent multi-core race conditions remain possible. Alternatively, disabling userquota/groupquota mount options eliminates the quotactl_block() code path entirely, at the cost of losing quota enforcement. Enabling kernel preemption (CONFIG_PREEMPT=y) also prevents the hang by inserting implicit scheduling points, but this requires a kernel rebuild and may affect real-time latency characteristics. Patch commits are available at the kernel.org stable tree references listed above.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

CVE-2026-45895 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy