Skip to main content

Linux Kernel EUVDEUVD-2026-27639

| CVE-2026-43115 MEDIUM
2026-05-06 Linux GHSA-vj6f-v49f-r83x
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
May 08, 2026 - 20:00 vuln.today
CVSS changed
May 08, 2026 - 17:52 NVD
5.5 (MEDIUM)
CVE Published
May 06, 2026 - 07:40 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

srcu: Use irq_work to start GP in tiny SRCU

Tiny SRCU's srcu_gp_start_if_needed() directly calls schedule_work(), which acquires the workqueue pool->lock.

This causes a lockdep splat when call_srcu() is called with a scheduler lock held, due to:

call_srcu() [holding pi_lock] srcu_gp_start_if_needed() schedule_work() -> pool->lock

workqueue_init() / create_worker() [holding pool->lock] wake_up_process() -> try_to_wake_up() -> pi_lock

Also add irq_work_sync() to cleanup_srcu_struct() to prevent a use-after-free if a queued irq_work fires after cleanup begins.

Tested with rcutorture SRCU-T and no lockdep warnings.

[ Thanks to Boqun for similar fix in patch "rcu: Use an intermediate irq_work to start process_srcu()" ]

AnalysisAI

Denial of service in Linux kernel tiny SRCU (Synchronize-RCU) subsystem allows local authenticated attackers to trigger a system hang or crash by invoking call_srcu() while holding scheduler locks, causing a circular lock dependency and potential deadlock. The vulnerability affects kernel versions before 6.19.14 and 7.0, with EPSS score of 0.02% indicating low real-world exploitation probability despite moderate CVSS severity.

Technical ContextAI

Tiny SRCU is a minimal read-copy-update synchronization primitive in the Linux kernel used for low-overhead RCU callbacks. The vulnerability exists in srcu_gp_start_if_needed(), which directly calls schedule_work() to start grace periods. The schedule_work() function acquires the workqueue pool->lock, creating a circular lock dependency when call_srcu() is invoked while the kernel holds the pi_lock (priority-inheritance lock used by the process scheduler). The fix replaces schedule_work() with irq_work, which defers pool->lock acquisition to a safe context, breaking the lock ordering cycle. Additionally, irq_work_sync() is added to cleanup_srcu_struct() to prevent use-after-free conditions.

RemediationAI

Upgrade to Linux kernel 6.19.14, 7.0, or later. Vendor-released patches are available at https://git.kernel.org/stable/c/bb37286db65368cb72ba8757ad86299c4e4a73fc and https://git.kernel.org/stable/c/a6fc88b22bc8d12ad52e8412c667ec0f5bf055af. For systems unable to patch immediately, restrict local user access to RCU-related kernel interfaces and disable user-space RCU libraries if not required - this eliminates the attack surface by preventing call_srcu() invocations from user context. However, this mitigation may break legitimate RCU-dependent applications, so evaluate dependencies before implementation. Monitor system logs for RCU timeout warnings as an indicator of lock contention. Backports should be applied to any stable kernel branches (5.10.x, 5.15.x, 6.1.x, 6.6.x, 6.9.x) in use.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27639 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy