Skip to main content

Linux Kernel CVE-2026-46008

| EUVDEUVD-2026-32305 MEDIUM
Race Condition (CWE-362)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-5mcx-8cmv-fvgx
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

Local-only vector with high complexity race timing window, low-privilege local access required, and sole impact is availability via indefinite thread hang.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 16, 2026 - 15:55 vuln.today
CVSS changed
Jun 16, 2026 - 15:37 NVD
4.7 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

mm/damon/core: fix damos_walk() vs kdamond_fn() exit race

When kdamond_fn() main loop is finished, the function cancels remaining damos_walk() request and unset the damon_ctx->kdamond so that API callers and API functions themselves can show the context is terminated. damos_walk() adds the caller's request to the queue first. After that, it shows if the kdamond of the damon_ctx is still running (damon_ctx->kdamond is set). Only if the kdamond is running, damos_walk() starts waiting for the kdamond's handling of the newly added request.

The damos_walk() requests registration and damon_ctx->kdamond unset are protected by different mutexes, though. Hence, damos_walk() could race with damon_ctx->kdamond unset, and result in deadlocks.

For example, let's suppose kdamond successfully finished the damow_walk() request cancelling. Right after that, damos_walk() is called for the context. It registers the new request, and shows the context is still running, because damon_ctx->kdamond unset is not yet done. Hence the damos_walk() caller starts waiting for the handling of the request. However, the kdamond is already on the termination steps, so it never handles the new request. As a result, the damos_walk() caller thread infinitely waits.

Fix this by introducing another damon_ctx field, namely walk_control_obsolete. It is protected by the damon_ctx->walk_control_lock, which protects damos_walk() request registration. Initialize (unset) it in kdamond_fn() before letting damon_start() returns and set it just before the cancelling of the remaining damos_walk() request is executed. damos_walk() reads the obsolete field under the lock and avoids adding a new request.

After this change, only requests that are guaranteed to be handled or cancelled are registered. Hence the after-registration DAMON context termination check is no longer needed. Remove it together.

The issue is found by sashiko [1].

AnalysisAI

Deadlock in Linux kernel DAMON (Data Access Monitor) subsystem allows a local low-privileged user or kernel code path to cause an indefinite thread hang in the mm/damon/core module via a race condition between damos_walk() request registration and kdamond_fn() exit sequencing. Systems running Linux kernels from commit bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61 through the patch commits are affected, with availability as the sole impact (CVSS C:N/I:N/A:H). No public exploit identified at time of analysis, and EPSS probability is 0.02% (5th percentile), indicating negligible real-world exploitation interest.

Technical ContextAI

DAMON is the Linux kernel's Data Access Monitoring framework, used for memory management optimization. The kdamond kernel thread executes DAMON operations via kdamond_fn(), while damos_walk() provides an API for callers to enumerate DAMON schemes. The root cause is CWE-362 (Concurrent Execution Using Shared Resource with Improper Synchronization): request registration in damos_walk() and the unsetting of damon_ctx->kdamond in kdamond_fn() are protected by different mutexes. This creates a TOCTOU window where damos_walk() can register a new request after the kdamond has already cancelled pending requests but before it nulls the kdamond pointer - causing the caller to block indefinitely waiting for handling that will never occur. The fix introduces a walk_control_obsolete field protected by damon_ctx->walk_control_lock, closing the race window. Affected CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*.

RemediationAI

Upgrade to Linux kernel 7.0.4 (stable series) or 7.1-rc1 (mainline) which incorporate the fix via upstream commits 0ba956a239ba6e3fae8555d3660e22e675be63b5 and 33c3f6c2b48cd84b441dba1ee3e62290e53930f4, available at https://git.kernel.org/stable/c/0ba956a239ba6e3fae8555d3660e22e675be63b5 and https://git.kernel.org/stable/c/33c3f6c2b48cd84b441dba1ee3e62290e53930f4. Distribution vendors (Red Hat, Canonical, SUSE, Debian) should be monitored for backported stable patches to their respective kernel series. As a compensating control where patching is not immediately feasible, disabling or avoiding use of the DAMON subsystem (e.g., not loading or configuring DAMON schemes that invoke damos_walk()) eliminates the vulnerable code path entirely, at the trade-off of losing DAMON-based memory management capabilities. No vendor advisory URL beyond the upstream kernel git commits has been identified.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46008 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy