Skip to main content

Linux Kernel EUVDEUVD-2026-25450

| CVE-2026-31557 HIGH
2026-04-24 Linux GHSA-7v44-fgx9-96v6
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 20:22 vuln.today
cvss_changed
Patch released
Apr 27, 2026 - 20:14 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:29 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
7.5 (HIGH)
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25450
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:35 nvd
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

nvmet: move async event work off nvmet-wq

For target nvmet_ctrl_free() flushes ctrl->async_event_work. If nvmet_ctrl_free() runs on nvmet-wq, the flush re-enters workqueue completion for the same worker:-

A. Async event work queued on nvmet-wq (prior to disconnect): nvmet_execute_async_event() queue_work(nvmet_wq, &ctrl->async_event_work)

nvmet_add_async_event() queue_work(nvmet_wq, &ctrl->async_event_work)

B. Full pre-work chain (RDMA CM path): nvmet_rdma_cm_handler() nvmet_rdma_queue_disconnect() __nvmet_rdma_queue_disconnect() queue_work(nvmet_wq, &queue->release_work) process_one_work() lock((wq_completion)nvmet-wq) <--------- 1st nvmet_rdma_release_queue_work()

C. Recursive path (same worker): nvmet_rdma_release_queue_work() nvmet_rdma_free_queue() nvmet_sq_destroy() nvmet_ctrl_put() nvmet_ctrl_free() flush_work(&ctrl->async_event_work) __flush_work() touch_wq_lockdep_map() lock((wq_completion)nvmet-wq) <--------- 2nd

Lockdep splat:

============ WARNING: possible recursive locking detected 6.19.0-rc3nvme+ #14 Tainted: G N -------------------------------------------- kworker/u192:42/44933 is trying to acquire lock: ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26/0x90

but task is already holding lock: ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x53e/0x660

3 locks held by kworker/u192:42/44933: #0: ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x53e/0x660 #1: ffffc9000e6cbe28 ((work_completion)(&queue->release_work)){+.+.}-{0:0}, at: process_one_work+0x1c5/0x660 #2: ffffffff82d4db60 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x62/0x530

Workqueue: nvmet-wq nvmet_rdma_release_queue_work [nvmet_rdma] Call Trace: __flush_work+0x268/0x530 nvmet_ctrl_free+0x140/0x310 [nvmet] nvmet_cq_put+0x74/0x90 [nvmet] nvmet_rdma_free_queue+0x23/0xe0 [nvmet_rdma] nvmet_rdma_release_queue_work+0x19/0x50 [nvmet_rdma] process_one_work+0x206/0x660 worker_thread+0x184/0x320 kthread+0x10c/0x240 ret_from_fork+0x319/0x390

Move async event work to a dedicated nvmet-aen-wq to avoid reentrant flush on nvmet-wq.

AnalysisAI

A workqueue deadlock in Linux kernel NVMe-over-Fabrics target (nvmet) allows remote denial of service via recursive locking during controller disconnect. The nvmet subsystem's async event handler can trigger reentrant workqueue completion when nvmet_ctrl_free() flushes work on the same queue (nvmet-wq) that invoked it, causing a lockdep-detected recursive lock scenario. EPSS score of 0.02% indicates very low probability of exploitation in the wild. Patches available for kernel versions 6.12.80, 6.18.21, 6.19.11, and mainline 7.0 via upstream commits.

Technical ContextAI

The vulnerability exists in the Linux kernel's NVMe-over-Fabrics target implementation (nvmet), specifically in the RDMA connection manager path. NVMe-over-Fabrics (NVMe-oF) allows block storage access over network fabrics using RDMA for high-performance storage networking. The issue stems from improper workqueue design where async_event_work and release_work both execute on the shared nvmet-wq workqueue. When nvmet_rdma_cm_handler() initiates a disconnect, it queues release_work on nvmet-wq. This work calls nvmet_ctrl_free(), which attempts to flush async_event_work on the same queue, causing the worker thread to wait for itself-a classic recursive locking pattern detected by the kernel's lockdep validator. The technical chain involves three held locks: wq_completion for nvmet-wq (acquired twice recursively), work_completion for release_work, and rcu_read_lock. The fix isolates async event processing to a dedicated nvmet-aen-wq workqueue, preventing cross-queue flush dependencies.

RemediationAI

Upgrade to patched Linux kernel versions: 7.0 or later for mainline, 6.19.11+ for 6.19.x series, 6.18.21+ for 6.18.x series, or 6.12.80+ for 6.12.x LTS series. Patches available from kernel.org stable repository via commits at https://git.kernel.org/stable/c/2922e3507f6d5caa7f1d07f145e186fc6f317a4e (mainline), https://git.kernel.org/stable/c/ca111c9d8d6c9d5735878d933a1716c4be86c2d1, https://git.kernel.org/stable/c/25ceffc1dabec3b93f458b437aae26f4da293f87, and https://git.kernel.org/stable/c/49c7c50ee6325a084216e94395e067ecde8088fa. If immediate patching is not feasible, temporarily disable nvmet-rdma module (rmmod nvmet_rdma) if NVMe-over-Fabrics RDMA target functionality is not business-critical; this prevents deadlock exposure but eliminates RDMA-based NVMe storage serving capability. Alternative workaround: switch NVMe-oF targets to TCP transport (nvmet-tcp) instead of RDMA, which uses different code paths unaffected by this workqueue issue, though with performance trade-offs (higher CPU utilization, increased latency). No configuration-based mitigation exists-code-level fix required.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-25450 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy