Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local-only attack requiring low privilege to trigger CPU hotplug; only availability is impacted via kernel warning or panic, with no confidentiality or integrity effect.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
padata: Put CPU offline callback in ONLINE section to allow failure
syzbot reported the following warning:
DEAD callback error for CPU1 WARNING: kernel/cpu.c:1463 at _cpu_down+0x759/0x1020 kernel/cpu.c:1463, CPU#0: syz.0.1960/14614
at commit 4ae12d8bd9a8 ("Merge tag 'kbuild-fixes-7.0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/kbuild/linux") which tglx traced to padata_cpu_dead() given it's the only sub-CPUHP_TEARDOWN_CPU callback that returns an error.
Failure isn't allowed in hotplug states before CPUHP_TEARDOWN_CPU so move the CPU offline callback to the ONLINE section where failure is possible.
AnalysisAI
Denial of service in the Linux kernel's padata parallel data processing subsystem results from a misplaced CPU hotplug callback that returns an error in a section where error returns are not permitted. Specifically, padata_cpu_dead() is registered below CPUHP_TEARDOWN_CPU, a hotplug state phase where callbacks are not allowed to fail; when the callback returns non-zero, the kernel emits a 'DEAD callback error' warning that can destabilize the system. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access with at minimum low-privilege Linux user credentials (consistent with PR:L in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 5.5 (Medium) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H accurately reflects the local-only, low-privilege attack surface with no confidentiality or integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user with low-privilege access on a multi-CPU system running parallel IPsec or kernel crypto workloads (backed by padata) initiates a CPU offline operation - for example, via 'echo 0 > /sys/devices/system/cpu/cpu1/online' while padata is actively dispatching work. The padata_cpu_dead() callback fires in the teardown phase, returns an error in a context that forbids it, and the kernel emits a DEAD callback warning at kernel/cpu.c:1463. … |
| Remediation | The primary fix is to update the Linux kernel to a patched stable release: 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39849
GHSA-4fpm-3x7p-95xm