Skip to main content

Linux Kernel CVE-2026-46061

| EUVDEUVD-2026-32443 MEDIUM
Improper Locking (CWE-667)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-f5wj-8q5w-fqwr
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

Race condition requires concurrent filesystem and writeback timing alignment with blocksize < pagesize - AC:H; PR:L for local filesystem access; pure availability impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 03:31 vuln.today
CVSS changed
Jun 16, 2026 - 01:22 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

jbd2: fix deadlock in jbd2_journal_cancel_revoke()

Commit f76d4c28a46a ("fs/jbd2: use sleeping version of __find_get_block()") changed jbd2_journal_cancel_revoke() to use __find_get_block_nonatomic() which holds the folio lock instead of i_private_lock. This breaks the lock ordering (folio -> buffer) and causes an ABBA deadlock when the filesystem blocksize < pagesize:

T1 T2 ext4_mkdir() ext4_init_new_dir() ext4_append() ext4_getblk() lock_buffer() <- A sync_blockdev() blkdev_writepages() writeback_iter() writeback_get_folio() folio_lock() <- B ext4_journal_get_create_access() jbd2_journal_cancel_revoke() __find_get_block_nonatomic() folio_lock() <- B block_write_full_folio() lock_buffer() <- A

This can occasionally cause generic/013 to hang.

Fix by only calling __find_get_block_nonatomic() when the passed buffer_head doesn't belong to the bdev, which is the only case that we need to look up its bdev alias. Otherwise, the lookup is redundant since the found buffer_head is equal to the one we passed in.

AnalysisAI

Deadlock in the Linux kernel jbd2 journal subsystem can hang filesystems and render systems unresponsive when filesystem blocksize is smaller than the system pagesize. Introduced by commit f76d4c28a46a, the flaw breaks the required folio-then-buffer lock ordering in jbd2_journal_cancel_revoke(), causing an ABBA deadlock between concurrent filesystem journal operations and block device writeback. No public exploit is identified at time of analysis; EPSS is 0.02% (5th percentile), consistent with a race-condition kernel bug requiring a non-default configuration that is unlikely to be deliberately weaponized.

Technical ContextAI

jbd2 (Journal Block Device 2) is the journaling layer underpinning ext4 and other Linux filesystems, managing transaction metadata to ensure consistency. The vulnerability was introduced by commit f76d4c28a46a, which changed jbd2_journal_cancel_revoke() to call __find_get_block_nonatomic() - a function that acquires the folio (page) lock rather than i_private_lock. CWE-667 (Improper Locking) is the root cause: on filesystems where blocksize is less than the system pagesize, two kernel threads can acquire the folio lock and buffer lock in opposite orders. Thread T1 (ext4_mkdir → lock_buffer → jbd2_journal_cancel_revoke → folio_lock) and Thread T2 (sync_blockdev → writeback path → folio_lock → lock_buffer) each hold one lock while waiting for the other, producing a classic ABBA deadlock. Affected CPEs span cpe:2.3:o:linux:linux_kernel across multiple stable series including 6.12.x prior to 6.12.86 and 6.15 through rc7. The Tags field in the source data labels this 'Information Disclosure,' which conflicts with the CVSS vector (C:N) and the description - this appears to be a mislabeled tag; there is no confidentiality impact.

RemediationAI

Upstream fix commits are available across multiple stable branches at https://git.kernel.org/stable/c/2b2fee890250ab647a601124471a334bb01a0790, https://git.kernel.org/stable/c/981fcc5674e67158d24d23e841523eccba19d0e7, https://git.kernel.org/stable/c/bbd943d6a2d566428324b516a37f98328dfb802d, and https://git.kernel.org/stable/c/dff07cc98fdf6af57a7c054dc09b2050a9d5c287. Patched versions confirmed from EUVD data are 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1; users should upgrade to the appropriate patched release for their stable branch. As a compensating control where patching is not immediately feasible, administrators can ensure that the ext4 filesystem blocksize matches the system pagesize (e.g., mkfs.ext4 -b 4096 on systems with PAGE_SIZE=4096), which prevents the deadlock condition from arising; note this may not be viable on ARM64 systems with 64KB pages, and reformatting requires data migration. Distribution-specific kernel security updates should be applied as they become available, as the upstream patches may require backporting by distribution maintainers.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46061 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy