Skip to main content

Linux Kernel CVE-2026-46304

| EUVDEUVD-2026-35169 HIGH
2026-06-08 Linux GHSA-jrgh-545x-2m82
7.5
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.9 MEDIUM

Reachable over TCP without auth on an exposed nvmet_tcp listener (AV:N, PR:N), but triggering the recursive-flush race needs precise create/teardown timing (AC:H); impact is availability-only.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 14, 2026 - 06:28 vuln.today
CVSS changed
Jun 14, 2026 - 06:22 NVD
7.5 (HIGH)
Patch available
Jun 08, 2026 - 18:01 EUVD
CVE Published
Jun 08, 2026 - 15:46 cve.org
HIGH 7.5
CVE Published
Jun 08, 2026 - 15:46 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free

nvmet_tcp_release_queue_work() runs on nvmet-wq and can drop the final controller reference through nvmet_cq_put(). If that triggers nvmet_ctrl_free(), the teardown path flushes ctrl->async_event_work on the same nvmet-wq.

Call chain:

nvmet_tcp_schedule_release_queue() kref_put(&queue->kref, nvmet_tcp_release_queue) nvmet_tcp_release_queue() queue_work(nvmet_wq, &queue->release_work) <--- nvmet_wq process_one_work() nvmet_tcp_release_queue_work() nvmet_cq_put(&queue->nvme_cq) nvmet_cq_destroy() nvmet_ctrl_put(cq->ctrl) nvmet_ctrl_free() flush_work(&ctrl->async_event_work) <--- nvmet_wq

Previously Scheduled by :- nvmet_add_async_event queue_work(nvmet_wq, &ctrl->async_event_work);

This trips lockdep with a possible recursive locking warning.

[ 5223.015876] run blktests nvme/003 at 2026-04-07 20:53:55 [ 5223.061801] loop0: detected capacity change from 0 to 2097152 [ 5223.072206] nvmet: adding nsid 1 to subsystem blktests-subsystem-1 [ 5223.088368] nvmet_tcp: enabling port 0 (127.0.0.1:4420) [ 5223.126086] nvmet: Created discovery controller 1 for subsystem nqn.2014-08.org.nvmexpress.discovery for NQN nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349. [ 5223.128453] nvme nvme1: new ctrl: NQN "nqn.2014-08.org.nvmexpress.discovery", addr 127.0.0.1:4420, hostnqn: nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349 [ 5233.199447] nvme nvme1: Removing ctrl: NQN "nqn.2014-08.org.nvmexpress.discovery"

[ 5233.227718] ============ [ 5233.231283] WARNING: possible recursive locking detected [ 5233.234696] 7.0.0-rc3nvme+ #20 Tainted: G O N [ 5233.238434] -------------------------------------------- [ 5233.241852] kworker/u192:6/2413 is trying to acquire lock: [ 5233.245429] ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26/0x90 [ 5233.251438] but task is already holding lock: [ 5233.255254] ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x5cc/0x6e0 [ 5233.261125] other info that might help us debug this: [ 5233.265333] Possible unsafe locking scenario:

[ 5233.269217] CPU0 [ 5233.270795] ---- [ 5233.272436] lock((wq_completion)nvmet-wq); [ 5233.275241] lock((wq_completion)nvmet-wq); [ 5233.278020] * DEADLOCK *

[ 5233.281793] May be due to missing lock nesting notation

[ 5233.286195] 3 locks held by kworker/u192:6/2413: [ 5233.289192] #0: ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x5cc/0x6e0 [ 5233.294569] #1: ffffc9000e2a7e40 ((work_completion)(&queue->release_work)){+.+.}-{0:0}, at: process_one_work+0x1c5/0x6e0 [ 5233.300128] #2: ffffffff82d7dc40 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x62/0x530 [ 5233.304290] stack backtrace: [ 5233.306520] CPU: 4 UID: 0 PID: 2413 Comm: kworker/u192:6 Tainted: G O N 7.0.0-rc3nvme+ #20 PREEMPT(full) [ 5233.306524] Tainted: [O]=OOT_MODULE, [N]=TEST [ 5233.306525] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 [ 5233.306527] Workqueue: nvmet-wq nvmet_tcp_release_queue_work [nvmet_tcp] [ 5233.306532] Call Trace: [ 5233.306534] <TASK> [ 5233.306536] dump_stack_lvl+0x73/0xb0 [ 5233.306552] print_deadlock_bug+0x225/0x2f0 [ 5233.306556] __lock_acquire+0x13f0/0x2290 [ 5233.306563] lock_acquire+0xd0/0x300 [ 5233.306565] ? touch_wq_lockdep_map+0x26/0x90 [ 5233.306571] ? __flush_work+0x20b/0x530 [ 5233.306573] ? touch_wq_lockdep_map+0x26/0x90 [ 5233.306577] touch_wq_lockdep_map+0x3b/0x90 [ 5233.306580] ? touch_wq_lockdep_map+0x26/0x90 [ 52 ---truncated---

AnalysisAI

Denial of service in the Linux kernel's NVMe-over-TCP target (nvmet_tcp) module allows remote initiators to trigger a recursive nvmet-wq workqueue flush during controller teardown, producing a lockdep-flagged deadlock condition in nvmet_ctrl_free(). The flaw affects systems exposing NVMe-TCP targets where controller release work and async_event_work are both queued on the same nvmet workqueue. EPSS is 0.02% (7th percentile) and there is no public exploit identified at time of analysis; vendor patches have been issued across multiple stable branches.

Technical ContextAI

The bug lives in drivers/nvme/target (nvmet) and specifically the TCP transport. nvmet_tcp_release_queue_work() executes on the shared nvmet-wq workqueue and can drop the last controller reference via nvmet_cq_put() → nvmet_cq_destroy() → nvmet_ctrl_put() → nvmet_ctrl_free(). The teardown path then calls flush_work(&ctrl->async_event_work), but async_event_work was previously queued by nvmet_add_async_event() onto the same nvmet-wq the current worker is running on, creating a self-flush. Lockdep reports a possible recursive locking scenario on the wq_completion lock map, which under the right scheduling can stall progress on the workqueue. CPE strings list the Linux kernel (cpe:2.3:a:linux:linux). CWE is not assigned, but this is functionally a concurrency/deadlock defect (CWE-833 class).

RemediationAI

Vendor-released patches: upgrade to Linux 5.10.258, 5.15.209, 6.1.175, 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc2 or later, choosing the appropriate stable branch for your distribution; distributor backports should be picked up from RHEL, Ubuntu, SUSE, and Debian security advisories once published. The fix reworks the nvmet_ctrl_free() teardown so async_event_work is no longer flushed from a worker running on the same nvmet-wq. If patching must be deferred, the only meaningful compensating control is to avoid exposing the nvmet_tcp target - unload the nvmet_tcp module on hosts that do not require it, or restrict the configured listening IP/port (the discovery and I/O ports, commonly TCP/4420) to a trusted storage management network via host firewall or namespace isolation; note that this disables NVMe-over-TCP service for legitimate initiators. Fix commits are at https://git.kernel.org/stable/c/ae5b0cad163833e10b271e9becc05d81dae56e5f and the related stable commits enumerated in references.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-46304 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy