Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Local access to the pSeries hvpipe device node required (AV:L, PR:L); race condition window is interrupt-timing dependent (AC:H); impact is availability-only kernel deadlock with no confidentiality or integrity effects (A:H, C:N, I:N).
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
pseries/papr-hvpipe: Fix race with interrupt handler
While executing ->ioctl handler or ->release handler, if an interrupt fires on the same cpu, then we can enter into a deadlock.
This patch fixes both these handlers to take spin_lock_irq{save|restore} versions of the lock to prevent this deadlock.
AnalysisAI
Deadlock vulnerability in the Linux kernel's pseries/papr-hvpipe subsystem allows a local low-privileged attacker on IBM pSeries Power Architecture systems to cause a kernel deadlock by triggering a race between the ioctl or release handler and a hardware interrupt firing on the same CPU. Exploitation is architecture-specific, requiring IBM PAPR hardware with the hvpipe driver loaded, and results in an availability-only denial-of-service. No public exploit exists and EPSS probability stands at 0.02%, consistent with a narrow attack surface; vendor-released patches are confirmed available for Linux 7.0.7, 7.1-rc3, and the 6.18 stable branch.
Technical ContextAI
The vulnerability resides in the pseries/papr-hvpipe driver, which implements a hypervisor pipe (hvpipe) interface for IBM pSeries systems running Linux under the Power Architecture Platform Reference (PAPR) hypervisor model. The driver's ioctl and release handlers acquired spin locks without disabling local CPU interrupts. If a hardware interrupt fires on the same CPU core while either handler holds the lock, the interrupt handler may attempt to re-acquire the already-held spin lock, producing a classic lock inversion deadlock - classified under CWE-362 (Concurrent Execution Using Shared Resource with Improper Synchronization). The fix replaces spin_lock/spin_unlock with spin_lock_irqsave/spin_lock_irqrestore, which atomically disable local interrupts while the lock is held, closing the race window entirely. Affected products are identified by CPE cpe:2.3:a:linux:linux:* bounded to kernel versions from commit 814ef095f12c9fa142043ee689500f3a41bb6dab forward, prior to the stable fix commits.
RemediationAI
Upgrade to a fixed Linux kernel version: Linux 7.0.7, Linux 7.1-rc3, or any release incorporating the 6.18 stable branch fixes. The upstream patches are available at https://git.kernel.org/stable/c/342c966f81cfc3cb6c297e80b37a9f3a5d637d2c and https://git.kernel.org/stable/c/7a4f0846ee6cc8cf44ae0046ed42e3259d1dd45b. Distribution maintainers (RHEL, SUSE, Ubuntu for Power) should be monitored for backported stable releases incorporating these commits. If immediate kernel upgrade is not operationally feasible on IBM pSeries systems, a compensating control is to unload and blacklist the papr-hvpipe module: run 'modprobe -r papr_hvpipe' and add 'blacklist papr_hvpipe' to /etc/modprobe.d/blacklist.conf - the trade-off is that this disables hypervisor pipe functionality and may interrupt workloads relying on PAPR hvpipe communication channels. The NVD advisory is available at https://nvd.nist.gov/vuln/detail/CVE-2026-46298.
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35164
GHSA-qppg-32m7-mvgc