Skip to main content

Linux Kernel EUVDEUVD-2026-32445

| CVE-2026-46063 MEDIUM
Improper Locking (CWE-667)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-5h69-gpmh-v98w
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

Race condition requires concurrent mmap writer on another CPU during a page fault, making AC:H more accurate than the NVD-assigned AC:L; all other metrics align with the description.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 03:43 vuln.today
CVSS changed
Jun 16, 2026 - 01:37 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

x86/shstk: Prevent deadlock during shstk sigreturn

During sigreturn the shadow stack signal frame is popped. The kernel does this by reading the shadow stack using normal read accesses. When it can't assume the memory is shadow stack, it takes extra steps to makes sure it is reading actual shadow stack memory and not other normal readable memory. It does this by holding the mmap read lock while doing the access and checking the flags of the VMA.

Unfortunately that is not safe. If the read of the shadow stack sigframe hits a page fault, the fault handler will try to recursively grab another mmap read lock. This normally works ok, but if a writer on another CPU is also waiting, the second read lock could fail and cause a deadlock.

Fix this by not holding mmap lock during the read access to userspace.

Instead use mmap_lock_speculate_...() to watch for changes between dropping mmap lock and the userspace access. Retry if anything grabbed an mmap write lock in between and could have changed the VMA.

These mmap_lock_speculate_...() helpers use mm::mm_lock_seq, which is only available when PER_VMA_LOCK is configured. So make X86_USER_SHADOW_STACK depend on it. On x86, PER_VMA_LOCK is a default configuration for SMP kernels. So drop support for the other configs under the assumption that the !SMP shadow stack user base does not exist.

Currently there is a check that skips the lookup work when the SSP can be assumed to be on a shadow stack. While reorganizing the function, remove the optimization to make the tricky code flows more common, such that issues like this cannot escape detection for so long.

AnalysisAI

Deadlock in the Linux kernel's x86 Control-flow Enforcement Technology (CET) shadow stack implementation can be triggered by a local unprivileged user during signal return, causing a kernel hang and denial of service. The flaw exists in x86 SMP kernels with PER_VMA_LOCK configured where X86_USER_SHADOW_STACK is enabled: holding the mmap read lock while reading the shadow stack signal frame during sigreturn allows a recursive lock acquisition attempt that deadlocks when a concurrent mmap writer is waiting on another CPU. No public exploit has been identified at time of analysis and EPSS exploitation probability is extremely low at 0.02% (5th percentile), but the availability impact is high on affected systems with shadow stack enabled.

Technical ContextAI

This vulnerability resides in the x86 Control-flow Enforcement Technology (CET) shadow stack subsystem of the Linux kernel (cpe:2.3:o:linux:linux_kernel). CET shadow stacks maintain a separate, hardware-protected call stack used to validate return addresses and prevent ROP attacks. During signal delivery and return (sigreturn), the kernel must read back the shadow stack signal frame to restore state. The affected code held the mmap read lock (mmap_lock) while performing this userspace memory access and validating the target VMA's flags to confirm it was genuine shadow stack memory. CWE-667 (Improper Locking) applies because: if a page fault occurs during that userspace read, the page fault handler attempts to re-acquire the mmap read lock recursively; under Linux's rwsem implementation, if a concurrent mmap write-lock waiter is queued on another CPU, the recursive read-lock attempt can fail, resulting in a deadlock. The fix replaces the lock-hold approach with mmap_lock_speculate_begin()/mmap_lock_speculate_end() helpers, which use mm::mm_lock_seq to optimistically observe whether any write-lock was acquired between the check and the access, retrying if so. This speculative mechanism depends on PER_VMA_LOCK being compiled in, which is the default for x86 SMP kernels; the patch therefore makes X86_USER_SHADOW_STACK depend on PER_VMA_LOCK, dropping non-SMP shadow stack support.

RemediationAI

Vendor-released patches are available; upgrade to Linux 6.6.140, 6.12.88, 6.18.27, or 7.0.4 depending on the stable branch in use, or track mainline at 7.1-rc1 or later. Patch commits are available at https://git.kernel.org/stable/c/3d29db827502067626062f5c74dd502d14ab15bc (6.6 branch), https://git.kernel.org/stable/c/d042d69b417515959e49021fef008c9b04a99bd5, https://git.kernel.org/stable/c/e2c2b044458cbf22da05264fa707308e8d4f86f9, https://git.kernel.org/stable/c/4f3374c990fb2adec06d20fd6d780927811c9aa0, and https://git.kernel.org/stable/c/9874b2917b9fbc30956fee209d3c4aa47201c64e. As a compensating control prior to patching, administrators can disable CET shadow stack support by setting the kernel configuration option X86_USER_SHADOW_STACK=n and recompiling, or by using the prctl PR_SET_SHADOW_STACK_STATUS syscall to disable shadow stacks for critical processes; note this removes hardware ROP protection as a trade-off. Systems that are not SMP or do not have PER_VMA_LOCK compiled in are not vulnerable and require no action.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

EUVD-2026-32445 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy