Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Remotely reachable via TCP URG (AV:N, PR:N, UI:N) but requires winning a multi-CPU lock race, so AC:H; impact is hang-only, hence C:N/I:N/A:H.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling
A SOFTIRQ-safe to SOFTIRQ-unsafe lock order deadlock can occur in send_sigio() and send_sigurg() when a process group receives a signal.
When FASYNC is configured for a process group (PIDTYPE_PGID), both functions use read_lock(&tasklist_lock) to traverse the task list. However, they are frequently called from softirq context:
- send_sigio() via input_inject_event -> kill_fasync
- send_sigurg() via tcp_check_urg -> sk_send_sigurg (NET_RX_SOFTIRQ)
The deadlock is caused by the rwlock writer fairness mechanism:
- CPU 0 (process context) holds read_lock(&tasklist_lock) in do_wait().
- CPU 1 (process context) attempts write_lock(&tasklist_lock) in
fork() or exit() and spins, which blocks all new readers.
- CPU 0 is interrupted by a softirq (e.g., TCP URG packet reception).
- The softirq calls send_sigurg() and attempts to acquire
read_lock(&tasklist_lock), deadlocking because CPU 1 is waiting.
Since PID hashing and do_each_pid_task() traversals are already RCU-protected, the read_lock on tasklist_lock is no longer strictly required for safe traversal. Fix this by replacing tasklist_lock with rcu_read_lock(), aligning the process group signaling path with the single-PID path. This also mitigates a potential remote denial of service vector via TCP URG packets.
Lockdep splat: ============= WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected [...] Chain exists of: &dev->event_lock --> &f_owner->lock --> tasklist_lock
Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(tasklist_lock); local_irq_disable(); lock(&dev->event_lock); lock(&f_owner->lock); <Interrupt> lock(&dev->event_lock);
* DEADLOCK *
AnalysisAI
Remote denial of service in the Linux kernel arises from a SOFTIRQ-safe to SOFTIRQ-unsafe lock-ordering deadlock in the fasync signaling path (fs/fcntl), where send_sigio() and send_sigurg() take read_lock(&tasklist_lock) from softirq context while traversing a process group (PIDTYPE_PGID). When this collides with a writer spinning on tasklist_lock during fork()/exit(), the CPU can deadlock and hang. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a target process has FASYNC/SIGIO or SIGURG signaling configured with the file owner set to a process group (PIDTYPE_PGID), not a single PID - that is the precise feature that drives send_sigio()/send_sigurg() into the tasklist_lock traversal. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and lean toward low real-world urgency despite a 7.5 CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends TCP traffic with the URG flag set to a vulnerable host, driving tcp_check_urg->sk_send_sigurg on the NET_RX_SOFTIRQ softirq path while the kernel concurrently performs fork()/exit() and a process holds a process-group FASYNC owner. If the timing aligns with a writer queued on tasklist_lock, the CPU deadlocks, hanging the system. … |
| Remediation | Update to a fixed stable kernel for your branch: 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1.1 or later (Vendor-released patch confirmed available; the upstream fix replaces tasklist_lock with rcu_read_lock in send_sigio/send_sigurg, e.g. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Linux systems in your environment and determine which kernel versions are affected by CVE-2026-52946. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-667 – Improper Locking
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38814
GHSA-9h35-hqff-9v3w