Skip to main content

Linux Kernel CVE-2026-46298

| EUVDEUVD-2026-35164 MEDIUM
Race Condition (CWE-362)
2026-06-08 Linux GHSA-qppg-32m7-mvgc
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

Local access to the pSeries hvpipe device node required (AV:L, PR:L); race condition window is interrupt-timing dependent (AC:H); impact is availability-only kernel deadlock with no confidentiality or integrity effects (A:H, C:N, I:N).

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jul 08, 2026 - 15:29 vuln.today
CVSS changed
Jul 08, 2026 - 14:52 NVD
4.7 (MEDIUM)
Patch available
Jun 08, 2026 - 18:01 EUVD
CVE Published
Jun 08, 2026 - 15:46 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

pseries/papr-hvpipe: Fix race with interrupt handler

While executing ->ioctl handler or ->release handler, if an interrupt fires on the same cpu, then we can enter into a deadlock.

This patch fixes both these handlers to take spin_lock_irq{save|restore} versions of the lock to prevent this deadlock.

AnalysisAI

Deadlock vulnerability in the Linux kernel's pseries/papr-hvpipe subsystem allows a local low-privileged attacker on IBM pSeries Power Architecture systems to cause a kernel deadlock by triggering a race between the ioctl or release handler and a hardware interrupt firing on the same CPU. Exploitation is architecture-specific, requiring IBM PAPR hardware with the hvpipe driver loaded, and results in an availability-only denial-of-service. No public exploit exists and EPSS probability stands at 0.02%, consistent with a narrow attack surface; vendor-released patches are confirmed available for Linux 7.0.7, 7.1-rc3, and the 6.18 stable branch.

Technical ContextAI

The vulnerability resides in the pseries/papr-hvpipe driver, which implements a hypervisor pipe (hvpipe) interface for IBM pSeries systems running Linux under the Power Architecture Platform Reference (PAPR) hypervisor model. The driver's ioctl and release handlers acquired spin locks without disabling local CPU interrupts. If a hardware interrupt fires on the same CPU core while either handler holds the lock, the interrupt handler may attempt to re-acquire the already-held spin lock, producing a classic lock inversion deadlock - classified under CWE-362 (Concurrent Execution Using Shared Resource with Improper Synchronization). The fix replaces spin_lock/spin_unlock with spin_lock_irqsave/spin_lock_irqrestore, which atomically disable local interrupts while the lock is held, closing the race window entirely. Affected products are identified by CPE cpe:2.3:a:linux:linux:* bounded to kernel versions from commit 814ef095f12c9fa142043ee689500f3a41bb6dab forward, prior to the stable fix commits.

RemediationAI

Upgrade to a fixed Linux kernel version: Linux 7.0.7, Linux 7.1-rc3, or any release incorporating the 6.18 stable branch fixes. The upstream patches are available at https://git.kernel.org/stable/c/342c966f81cfc3cb6c297e80b37a9f3a5d637d2c and https://git.kernel.org/stable/c/7a4f0846ee6cc8cf44ae0046ed42e3259d1dd45b. Distribution maintainers (RHEL, SUSE, Ubuntu for Power) should be monitored for backported stable releases incorporating these commits. If immediate kernel upgrade is not operationally feasible on IBM pSeries systems, a compensating control is to unload and blacklist the papr-hvpipe module: run 'modprobe -r papr_hvpipe' and add 'blacklist papr_hvpipe' to /etc/modprobe.d/blacklist.conf - the trade-off is that this disables hypervisor pipe functionality and may interrupt workloads relying on PAPR hvpipe communication channels. The NVD advisory is available at https://nvd.nist.gov/vuln/detail/CVE-2026-46298.

Share

CVE-2026-46298 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy