Skip to main content

Linux EUVDEUVD-2026-15331

| CVE-2026-23356 MEDIUM
Reachable Assertion (CWE-617)
2026-03-25 Linux GHSA-rp6p-x9w7-2rqg
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
6.3 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 24, 2026 - 19:07 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15331
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock()

Even though we check that we "should" be able to do lc_get_cumulative() while holding the device->al_lock spinlock, it may still fail, if some other code path decided to do lc_try_lock() with bad timing.

If that happened, we logged "LOGIC BUG for enr=...", but still did not return an error.

The rest of the code now assumed that this request has references for the relevant activity log extents.

The implcations are that during an active resync, mutual exclusivity of resync versus application IO is not guaranteed. And a potential crash at this point may not realizs that these extents could have been target of in-flight IO and would need to be resynced just in case.

Also, once the request completes, it will give up activity log references it does not even hold, which will trigger a BUG_ON(refcnt == 0) in lc_put().

Fix:

Do not crash the kernel for a condition that is harmless during normal operation: also catch "e->refcnt 0", not only "e NULL" when being noisy about "al_complete_io() called on inactive extent %u\n".

And do not try to be smart and "guess" whether something will work, then be surprised when it does not. Deal with the fact that it may or may not work. If it does not, remember a possible "partially in activity log" state (only possible for requests that cross extent boundaries), and return an error code from drbd_al_begin_io_nonblock().

A latter call for the same request will then resume from where we left off.

AnalysisAI

A logic error in the Linux kernel's DRBD (Distributed Replicated Block Device) subsystem causes drbd_al_begin_io_nonblock() to fail silently when activity log extent acquisition fails due to spinlock contention, leading to loss of mutual exclusivity guarantees between resync and application I/O operations. This vulnerability affects all Linux kernel versions with the affected DRBD code and can result in kernel crashes via BUG_ON() assertions when activity log references are incorrectly released, as well as potential data consistency issues during active resync operations when concurrent application I/O proceeds without proper exclusivity enforcement.

Technical ContextAI

The vulnerability exists in the DRBD activity log management code, specifically in the drbd_al_begin_io_nonblock() function which acquires cumulative activity log extent references using lc_get_cumulative() while holding the device->al_lock spinlock. The root cause is a race condition where lc_try_lock() called from another code path can fail despite checks suggesting success is possible, creating a state where the function logs a 'LOGIC BUG' diagnostic message but incorrectly returns success rather than an error code. This violates the implicit contract that callers can rely on activity log extent references being held. The affected CPE is cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*, indicating all Linux kernel versions are potentially vulnerable depending on DRBD driver inclusion. The root cause class relates to improper error handling and race condition management in spinlock-protected critical sections.

RemediationAI

Update the Linux kernel to a version that includes one or more of the security commits referenced (7752569fc78e89794ce28946529850282233f99d, e91d8d6565b7819d13dab21d4dbed5b45efba59b, eef1390125b660b8b61f9f227a03bb9c5e6d36a5, d1ef3aed4df2ef1fe46befd8f2da9a6ec5445508, f558e5404a72054b525dced1a0c66aa95a144153, ab140365fb62c0bdab22b2f516aff563b2559e3b) available in the kernel stable git tree at https://git.kernel.org/stable/. For systems unable to immediately patch, disable DRBD usage if operationally feasible, or monitor system logs for 'LOGIC BUG for enr=' messages which indicate exploitation attempts. Test patched kernels in non-production environments before deploying, as kernel updates require system reboots. Consult your Linux distribution's security advisory process (e.g., kernel-sec mailing list, Red Hat RHSA, Ubuntu USN, Debian DSA) for backported patches to your specific kernel release.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-15331 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy