Skip to main content

Linux Kernel CVE-2026-46025

| EUVDEUVD-2026-32406 MEDIUM
Race Condition (CWE-362)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-rhpm-rxf4-q3hf
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

Local access and low privilege required to reach DAMON APIs; high complexity reflects the narrow race window; only availability is affected via deadlock.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 16, 2026 - 16:09 vuln.today
CVSS changed
Jun 16, 2026 - 16:07 NVD
4.7 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

mm/damon/core: fix damon_call() vs kdamond_fn() exit race

Patch series "mm/damon/core: fix damon_call()/damos_walk() vs kdmond exit race".

damon_call() and damos_walk() can leak memory and/or deadlock when they race with kdamond terminations. Fix those.

This patch (of 2);

When kdamond_fn() main loop is finished, the function cancels all remaining damon_call() requests and unset the damon_ctx->kdamond so that API callers and API functions themselves can know the context is terminated. damon_call() adds the caller's request to the queue first. After that, it shows if the kdamond of the damon_ctx is still running (damon_ctx->kdamond is set). Only if the kdamond is running, damon_call() starts waiting for the kdamond's handling of the newly added request.

The damon_call() requests registration and damon_ctx->kdamond unset are protected by different mutexes, though. Hence, damon_call() could race with damon_ctx->kdamond unset, and result in deadlocks.

For example, let's suppose kdamond successfully finished the damon_call() requests cancelling. Right after that, damon_call() is called for the context. It registers the new request, and shows the context is still running, because damon_ctx->kdamond unset is not yet done. Hence the damon_call() caller starts waiting for the handling of the request. However, the kdamond is already on the termination steps, so it never handles the new request. As a result, the damon_call() caller threads infinitely waits.

Fix this by introducing another damon_ctx field, namely call_controls_obsolete. It is protected by the damon_ctx->call_controls_lock, which protects damon_call() requests registration. Initialize (unset) it in kdamond_fn() before letting damon_start() returns and set it just before the cancelling of remaining damon_call() requests is executed. damon_call() reads the obsolete field under the lock and avoids adding a new request.

After this change, only requests that are guaranteed to be handled or cancelled are registered. Hence the after-registration DAMON context termination check is no longer needed. Remove it together.

Note that the deadlock will not happen when damon_call() is called for repeat mode request. In tis case, damon_call() returns instead of waiting for the handling when the request registration succeeds and it shows the kdamond is running. However, if the request also has dealloc_on_cancel, the request memory would be leaked.

The issue is found by sashiko [1].

AnalysisAI

Deadlock and memory leak in the Linux kernel DAMON subsystem arise from a race condition between damon_call() request registration and kdamond_fn() thread exit, affecting systems using the Data Access MONitor (DAMON) API. A local low-privileged process can trigger the race at precisely the moment a kdamond thread is terminating - causing the calling thread to wait indefinitely for a handler that has already exited, resulting in a kernel-level availability denial. No active exploitation is confirmed (EPSS 0.02%, not in CISA KEV), and the high attack complexity required to win the race significantly constrains real-world risk.

Technical ContextAI

DAMON (Data Access MONitor) is a Linux kernel subsystem (mm/damon/) used for monitoring memory access patterns, leveraged by features such as DAMOS (DAMON-based Operation Schemes). The vulnerability exists because damon_call() request registration and the damon_ctx->kdamond pointer unset are protected by two different mutexes. This synchronization gap creates a TOCTOU (Time-of-Check Time-of-Use) window: damon_call() first enqueues a new request, then reads damon_ctx->kdamond to confirm the kdamond thread is still running. However, the kdamond may have already cancelled all pending requests and be in the process of unsetting damon_ctx->kdamond under a separate lock. The result is a newly registered request that will never be serviced, causing an infinite block. A secondary variant affects repeat-mode requests with dealloc_on_cancel set - these avoid the deadlock path but leak the request allocation. CWE-362 (Concurrent Execution Using Shared Resource with Improper Synchronization) precisely describes this root cause: two control paths operating on shared state with insufficient lock coupling. Affected products per CPE are cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*, spanning kernel versions from the introducing commit 42b7491af14cbba2393329ce43d508a957bd94fa through the stable branches fixed in 6.18.27, 7.0.4, and 7.1-rc1.

RemediationAI

The primary remediation is to upgrade to a patched Linux kernel version: 6.18.27, 7.0.4, or 7.1-rc1 or later, as the fix has been backported to multiple stable trees. The patch introduces a new damon_ctx field (call_controls_obsolete), protected by the same call_controls_lock mutex used for request registration, which allows damon_call() to detect an in-progress kdamond termination and abort before registering a request that will never be handled. Patch commits are available directly at the kernel.org stable tree URLs referenced above. For systems that cannot be immediately patched, a practical compensating control is to avoid invoking DAMON userspace APIs (e.g., via DAMON sysfs interface under /sys/kernel/mm/damon/) during periods when kdamond threads are expected to stop - for example, disabling DAMON monitoring before system shutdown or workload termination sequences. There is no known in-kernel configuration knob to disable this specific race path without disabling DAMON entirely. Disabling DAMON (by not loading or configuring any DAMON contexts) is an effective workaround for deployments that do not require memory access monitoring, with the trade-off of losing DAMON-based memory management benefits. Upstream vendor advisory is tracked under EUVD-2026-32406.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46025 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy