Skip to main content

Linux Kernel EUVDEUVD-2026-32239

| CVE-2026-45955 HIGH
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-7293-q55v-843q
High
Disputed · 7.1 Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Sources disagree (Low–High)
Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 LOW
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 05, 2026 - 07:22 vuln.today
CVSS changed
Jun 05, 2026 - 07:22 NVD
7.1 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

md/md-llbitmap: fix percpu_ref not resurrected on suspend timeout

When llbitmap_suspend_timeout() times out waiting for percpu_ref to become zero, it returns -ETIMEDOUT without resurrecting the percpu_ref. The caller (md_llbitmap_daemon_fn) then continues to the next page without calling llbitmap_resume(), leaving the percpu_ref in a killed state permanently.

Fix this by resurrecting the percpu_ref before returning the error, ensuring the page control structure remains usable for subsequent operations.

AnalysisAI

High-impact integrity and availability flaw in the Linux kernel's md-llbitmap (multi-device log-based bitmap) subsystem allows a local low-privileged attacker to render RAID bitmap page control structures permanently unusable. When llbitmap_suspend_timeout() times out, percpu_ref is left in a killed state and never resurrected, breaking subsequent md daemon operations on that page. EPSS is very low (0.02%, 4th percentile) and no public exploit is identified at time of analysis, but vendor-released patches are available in 6.18.14 and 6.19.4.

Technical ContextAI

The vulnerability lies in drivers/md/md-llbitmap.c, part of the Linux kernel multi-device (md) RAID subsystem that uses log-based bitmaps to track dirty stripes. The code uses percpu_ref - a per-CPU reference counter that can be 'killed' to drain in-flight users before a suspend operation. The bug is a missing recovery path: llbitmap_suspend_timeout() kills the reference and waits for it to drain, but on -ETIMEDOUT it returns the error without calling percpu_ref_resurrect(), so the page's control structure remains in DEAD state. The caller md_llbitmap_daemon_fn continues iterating to the next page rather than aborting or resuming, leaving the affected page permanently unusable. CWE is not assigned, but the root cause is a state-machine/error-handling defect (closest mapping: CWE-755 improper handling of exceptional conditions, with cleanup-on-error semantics akin to CWE-460).

RemediationAI

Vendor-released patch: upgrade to Linux 6.18.14 or 6.19.4 (or later) from your distribution, or backport the upstream fix commits 095417d6b669c2dec39a5842ccb94df915f97f54, d119bd2e1643cc023210ff3c6f0657e4f914e71d, and 2446d099350185caeed19ab2c0270451a97296fb from the stable tree at git.kernel.org. The fix restores the percpu_ref via resurrect-on-error before returning -ETIMEDOUT so the bitmap page remains usable. If patching is not immediately possible on affected hosts, the practical compensating control is to avoid the llbitmap mode for md RAID arrays - convert affected arrays to the legacy bitmap or external write-intent bitmap, accepting the resync/performance trade-offs of the older bitmap implementation; reducing concurrent suspend pressure on md arrays (avoiding aggressive bitmap operations under heavy I/O) lowers the chance of hitting the timeout path but does not eliminate it.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

EUVD-2026-32239 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy