Skip to main content

Linux EUVDEUVD-2026-15330

| CVE-2026-23355 MEDIUM
2026-03-25 Linux GHSA-8672-3h73-hv9p
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
5.2 MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 24, 2026 - 19:22 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15330
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ata: libata: cancel pending work after clearing deferred_qc

Syzbot reported a WARN_ON() in ata_scsi_deferred_qc_work(), caused by ap->ops->qc_defer() returning non-zero before issuing the deferred qc.

ata_scsi_schedule_deferred_qc() is called during each command completion. This function will check if there is a deferred QC, and if ap->ops->qc_defer() returns zero, meaning that it is possible to queue the deferred qc at this time (without being deferred), then it will queue the work which will issue the deferred qc.

Once the work get to run, which can potentially be a very long time after the work was scheduled, there is a WARN_ON() if ap->ops->qc_defer() returns non-zero.

While we hold the ap->lock both when assigning and clearing deferred_qc, and the work itself holds the ap->lock, the code currently does not cancel the work after clearing the deferred qc.

This means that the following scenario can happen:

  1. One or several NCQ commands are queued.
  2. A non-NCQ command is queued, gets stored in ap->deferred_qc.
  3. Last NCQ command gets completed, work is queued to issue the deferred

qc.

  1. Timeout or error happens, ap->deferred_qc is cleared. The queued work is

currently NOT canceled.

  1. Port is reset.
  2. One or several NCQ commands are queued.
  3. A non-NCQ command is queued, gets stored in ap->deferred_qc.
  4. Work is finally run. Yet at this time, there is still NCQ commands in

flight.

The work in 8) really belongs to the non-NCQ command in 2), not to the non-NCQ command in 7). The reason why the work is executed when it is not supposed to, is because it was never canceled when ap->deferred_qc was cleared in 4). Thus, ensure that we always cancel the work after clearing ap->deferred_qc.

Another potential fix would have been to let ata_scsi_deferred_qc_work() do nothing if ap->ops->qc_defer() returns non-zero. However, canceling the work when clearing ap->deferred_qc seems slightly more logical, as we hold the ap->lock when clearing ap->deferred_qc, so we know that the work cannot be holding the lock. (The function could be waiting for the lock, but that is okay since it will do nothing if ap->deferred_qc is not set.)

AnalysisAI

This vulnerability is a race condition in the Linux kernel's libata subsystem where pending work is not properly canceled after clearing a deferred queue command (deferred_qc), leading to a WARN_ON() condition when the stale work eventually executes. The vulnerability affects all Linux kernel versions with the vulnerable libata code path, impacting systems using ATA/SATA disk controllers. An attacker with local access could trigger this condition through specific command sequences involving NCQ and non-NCQ commands, causing kernel warnings and potential system instability, though direct privilege escalation is not demonstrated.

Technical ContextAI

The Linux kernel's libata (ATA Library) subsystem manages ATA/SATA disk controller operations. The vulnerability exists in the deferred queue command (deferred_qc) handling mechanism within ata_scsi_deferred_qc_work() and related functions. When a non-NCQ command is queued while NCQ commands are in flight, the kernel defers the non-NCQ command and schedules work to issue it later. However, if the deferred_qc is cleared (due to timeout, error, or port reset) before the scheduled work executes, the work is never canceled. The root cause is a missing work cancellation after clearing ap->deferred_qc, allowing stale work to execute with an invalid command context. This is classified as a synchronization/state management issue rather than a traditional CWE vulnerability, as no single CWE was assigned. The CPE (cpe:2.3:a:linux:linux) indicates all Linux kernel versions are potentially affected until patched.

RemediationAI

Update the Linux kernel to a version that includes one of the patch commits (0d12453818c3, 6c5e8f16b5e8e, 58e658763ba2, or aac9b27f7c1f) from the stable repository at https://git.kernel.org/stable/. Users running stable kernel distributions should upgrade to the next available kernel update for their series (e.g., 6.6.x, 6.1.x, 5.15.x) that includes this patch. For systems that cannot be immediately patched, reduce the exposure by minimizing the use of mixed NCQ and non-NCQ ATA command sequences and avoiding frequent ATA device reset/recovery operations. Monitor kernel logs for WARN_ON messages related to ata_scsi_deferred_qc_work() as an indicator of exploitation. Check with your Linux distribution vendor (Red Hat, Ubuntu, Debian, SUSE, etc.) for backported patch availability in your specific kernel version.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie not-affected - -
trixie (security) fixed 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-15330 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy