Skip to main content

Linux Kernel EUVDEUVD-2026-32433

| CVE-2026-46051 MEDIUM
Improper Locking (CWE-667)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-mgf2-2rm5-mvrf
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access and low-privilege I/O against a mounted RAID5 array are required; no confidentiality or integrity impact, only system-wide availability loss.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 15:13 vuln.today
CVSS changed
Jun 16, 2026 - 15:07 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

md/raid5: fix soft lockup in retry_aligned_read()

When retry_aligned_read() encounters an overlapped stripe, it releases the stripe via raid5_release_stripe() which puts it on the lockless released_stripes llist. In the next raid5d loop iteration, release_stripe_list() drains the stripe onto handle_list (since STRIPE_HANDLE is set by the original IO), but retry_aligned_read() runs before handle_active_stripes() and removes the stripe from handle_list via find_get_stripe() -> list_del_init(). This prevents handle_stripe() from ever processing the stripe to resolve the overlap, causing an infinite loop and soft lockup.

Fix this by using __release_stripe() with temp_inactive_list instead of raid5_release_stripe() in the failure path, so the stripe does not go through the released_stripes llist. This allows raid5d to break out of its loop, and the overlap will be resolved when the stripe is eventually processed by handle_stripe().

AnalysisAI

Soft lockup in the Linux kernel's md/raid5 subsystem allows a local low-privileged user to trigger an infinite loop in the raid5d kernel thread, causing a kernel soft lockup and system-wide denial of service on hosts running RAID5 arrays. The fault lies in retry_aligned_read() using the wrong stripe release path when encountering overlapping stripes, permanently starving handle_stripe() of the work item needed to resolve the overlap. No public exploit has been identified and EPSS at 0.02% (5th percentile) confirms negligible exploitation probability; however, multiple active stable kernel branches from 3.12 onward are affected and vendor-released patches are confirmed across five fix versions.

Technical ContextAI

The affected code resides in drivers/md/raid5.c within the Linux kernel's software RAID subsystem (md - multiple devices). The vulnerability manifests in retry_aligned_read(), the function responsible for retrying aligned block I/O requests that were deferred due to stripe busy conditions. CWE-667 (Improper Locking) captures the root cause: when retry_aligned_read() encounters an overlapping stripe, it calls raid5_release_stripe(), which enqueues the stripe onto the lockless released_stripes llist. On the next iteration of the raid5d kernel worker thread, release_stripe_list() correctly drains the stripe onto handle_list because STRIPE_HANDLE is set. However, retry_aligned_read() executes before handle_active_stripes() within the same raid5d loop and calls find_get_stripe() followed by list_del_init(), removing the stripe from handle_list. This creates a perpetual starvation condition: handle_stripe() never receives the stripe to resolve the overlap, raid5d loops indefinitely, and the kernel soft-lockup watchdog fires. The fix redirects the release path to __release_stripe() with a temp_inactive_list, bypassing the released_stripes llist and allowing raid5d to exit its loop. CPE coverage confirms the affected platform as cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* across seven tracked stable series.

RemediationAI

Upgrade to a patched upstream Linux kernel version: 6.6.140, 6.12.86, 6.18.27, 7.0.4, or 7.1-rc1 or later. Stable-branch fix commits are available at kernel.org: https://git.kernel.org/stable/c/09880592f5a9dc73377d6eb5ac123537b5f8df49, https://git.kernel.org/stable/c/1985cb3247e87ff6b8ca4bc5f9626f4f51024507, https://git.kernel.org/stable/c/7f9f7c697474268d9ef9479df3ddfe7cdcfbbffc, https://git.kernel.org/stable/c/80fc6ca2cbde018d52e13f305edcd643911bd94b, https://git.kernel.org/stable/c/883cc33b7af1c448663287f069ef9dfea only, and additional branches at https://git.kernel.org/stable/c/66df9f30673db66ac35145820a8e24906069ae57 and https://git.kernel.org/stable/c/a9055300e07d9d6800264d3c2560e1d0144689ca. For systems where kernel patching requires a maintenance window, the only practical compensating control is to avoid sustained high-concurrency aligned read workloads against md/raid5 devices, as these are most likely to trigger the overlapping stripe condition; however, this is operationally difficult to enforce and does not fully eliminate risk. Disabling md/raid5 arrays is not a viable workaround for production storage systems. Operators should prioritize scheduling kernel updates in the next available maintenance window.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

EUVD-2026-32433 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy