Skip to main content

Linux Kernel EUVDEUVD-2026-28721

| CVE-2026-43415 MEDIUM
Race Condition (CWE-362)
2026-05-08 Linux GHSA-2489-gxhv-vf7c
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 21, 2026 - 18:23 vuln.today
CVSS changed
May 21, 2026 - 18:22 NVD
4.7 (MEDIUM)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend

In __ufshcd_wl_suspend(), cancel_delayed_work_sync() is called to cancel the UFS RTC work, but it is placed after ufshcd_vops_suspend(hba, pm_op, POST_CHANGE). This creates a race condition where ufshcd_rtc_work() can still be running while ufshcd_vops_suspend() is executing. When UFSHCD_CAP_CLK_GATING is not supported, the condition !hba->clk_gating.active_reqs is always true, causing ufshcd_update_rtc() to be executed. Since ufshcd_vops_suspend() typically performs clock gating operations, executing ufshcd_update_rtc() at that moment triggers an SError. The kernel panic trace is as follows:

Kernel panic - not syncing: Asynchronous SError Interrupt Call trace: dump_backtrace+0xec/0x128 show_stack+0x18/0x28 dump_stack_lvl+0x40/0xa0 dump_stack+0x18/0x24 panic+0x148/0x374 nmi_panic+0x3c/0x8c arm64_serror_panic+0x64/0x8c do_serror+0xc4/0xc8 el1h_64_error_handler+0x34/0x4c el1h_64_error+0x68/0x6c el1_interrupt+0x20/0x58 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x68/0x6c ktime_get+0xc4/0x12c ufshcd_mcq_sq_stop+0x4c/0xec ufshcd_mcq_sq_cleanup+0x64/0x1dc ufshcd_clear_cmd+0x38/0x134 ufshcd_issue_dev_cmd+0x298/0x4d0 ufshcd_exec_dev_cmd+0x1a4/0x1c4 ufshcd_query_attr+0xbc/0x19c ufshcd_rtc_work+0x10c/0x1c8 process_scheduled_works+0x1c4/0x45c worker_thread+0x32c/0x3e8 kthread+0x120/0x1d8 ret_from_fork+0x10/0x20

Fix this by moving cancel_delayed_work_sync() before the call to ufshcd_vops_suspend(hba, pm_op, PRE_CHANGE), ensuring the UFS RTC work is fully completed or cancelled at that point.

AnalysisAI

Kernel panic triggered by a race condition in the UFS Host Controller Driver (ufshcd) during system suspend affects Linux systems using Universal Flash Storage hardware where UFSHCD_CAP_CLK_GATING is not supported. The flaw allows a local low-privileged user - or automated power management - to crash the kernel by triggering a suspend sequence while ufshcd_rtc_work() is concurrently executing, producing an ARM64 asynchronous SError interrupt that halts the system. No public exploit code exists and no active exploitation has been identified; with an EPSS of 0.02% this is a low-probability but confirmed-availability-destroying defect patched across multiple stable kernel branches.

Technical ContextAI

The affected subsystem is the Linux SCSI UFS (Universal Flash Storage) Host Controller Driver, identified via CPE cpe:2.3:a:linux:linux. The root cause is CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization - Race Condition). Specifically, in __ufshcd_wl_suspend(), the call to cancel_delayed_work_sync() - which ensures the periodic RTC synchronization work item is finished or cancelled - was placed after ufshcd_vops_suspend(hba, pm_op, POST_CHANGE). This ordering means ufshcd_rtc_work() can still be in-flight while the vendor suspend hook performs clock gating operations on the UFS controller. When UFSHCD_CAP_CLK_GATING is absent, the guard condition !hba->clk_gating.active_reqs is trivially true, so ufshcd_update_rtc() proceeds to issue a device command (ufshcd_query_attr) against a controller that is mid-suspend, generating an asynchronous SError on ARM64 platforms. The kernel call trace confirms the ARM64 exception path: el1h_64_error → do_serror → arm64_serror_panic → panic.

RemediationAI

The primary fix is to upgrade to a patched kernel version: 6.6.130, 6.12.78, 6.18.19, 6.19.9, or 7.0 (mainline), all of which reorder cancel_delayed_work_sync() to execute before ufshcd_vops_suspend(hba, pm_op, PRE_CHANGE). Upstream patch commits are available at https://git.kernel.org/stable/c/2fcc2fc21cae7a0cbe73053f7fc70680ce2a7f69, https://git.kernel.org/stable/c/b17211b512cbf0e07de27e1932428ee6c20df910, https://git.kernel.org/stable/c/c387a8f1d3713f6b0415ece8485042d0f134b91a, https://git.kernel.org/stable/c/b0bd84c39289ef6a6c3827dd52c875659291970a, and https://git.kernel.org/stable/c/a6a894413b043704b77a6294c379c93b1477e48d. For systems that cannot immediately patch, a compensating control is to disable UFS RTC synchronization at the driver level if the platform supports it (disabling UFSHCD_CAP_RTC_WORK), though this trades RTC accuracy for stability and may not be configurable on all distributions. Enabling UFSHCD_CAP_CLK_GATING where supported would also prevent the trivially-true guard condition from firing, but requires platform-specific validation. Distribution vendors (RHEL, Ubuntu, SUSE) have likely issued or will issue kernel updates incorporating these stable commits.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28721 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy