Skip to main content

Linux Kernel EUVDEUVD-2026-27686

| CVE-2026-43127 MEDIUM
Improper Locking (CWE-667)
2026-05-06 Linux GHSA-pmpx-w3f2-x2vp
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 20:34 vuln.today
CVSS changed
May 08, 2026 - 18:07 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:27 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ntfs3: fix circular locking dependency in run_unpack_ex

Syzbot reported a circular locking dependency between wnd->rw_lock (sbi->used.bitmap) and ni->file.run_lock.

The deadlock scenario:

  1. ntfs_extend_mft() takes ni->file.run_lock then wnd->rw_lock.
  2. run_unpack_ex() takes wnd->rw_lock then tries to acquire

ni->file.run_lock inside ntfs_refresh_zone().

This creates an AB-BA deadlock.

Fix this by using down_read_trylock() instead of down_read() when acquiring run_lock in run_unpack_ex(). If the lock is contended, skip ntfs_refresh_zone() - the MFT zone will be refreshed on the next MFT operation. This breaks the circular dependency since we never block waiting for run_lock while holding wnd->rw_lock.

AnalysisAI

A circular locking dependency in the Linux kernel's ntfs3 filesystem driver allows local authenticated attackers with low privileges to cause a denial of service (system hang or crash) by triggering simultaneous operations that deadlock between the MFT run lock and bitmap read-write lock. The vulnerability affects kernel versions prior to 6.18.16, 6.19.6, and 7.0, and requires local access with user-level privileges to exploit.

Technical ContextAI

The vulnerability exists in the ntfs3 filesystem driver's run_unpack_ex() function, which is responsible for unpacking run lists in NTFS metadata structures. The root cause is a classic AB-BA circular wait condition (CWE-667: Improper Locking) involving two kernel synchronization primitives: ni->file.run_lock (per-inode run list lock) and wnd->rw_lock (bitmap read-write lock used for MFT zone management). The deadlock occurs because ntfs_extend_mft() acquires locks in order A→B (run_lock then wnd->rw_lock), while run_unpack_ex() attempts to acquire them in reverse order B→A (wnd->rw_lock then run_lock via ntfs_refresh_zone()). This is a synchronization bug in kernel filesystem code rather than a memory corruption or privilege escalation vulnerability.

RemediationAI

The primary fix is to upgrade the Linux kernel to version 6.18.16, 6.19.6, 7.0, or later, which includes the circular lock dependency fix. Stable kernel releases incorporating the fix are available from kernel.org. For systems unable to upgrade immediately, the vulnerability can be mitigated by disabling the ntfs3 filesystem driver (CONFIG_NTFS3=n) if NTFS support is not required, though this eliminates native NTFS mounting capability. Alternatively, limit NTFS filesystem usage to trusted, non-adversarial environments and monitor for system hangs during filesystem operations on NTFS volumes. Use ntfs-3g (FUSE-based userspace driver) as a temporary replacement if NTFS access is required on older kernels, at the cost of reduced performance. The kernel fix uses down_read_trylock() instead of blocking down_read() to break the lock ordering cycle, so no application-level changes are needed.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27686 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy