Skip to main content

Linux Kernel EUVDEUVD-2026-38814

| CVE-2026-52946 HIGH
Improper Locking (CWE-667)
2026-06-24 Linux GHSA-9h35-hqff-9v3w
7.5
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.9 MEDIUM

Remotely reachable via TCP URG (AV:N, PR:N, UI:N) but requires winning a multi-CPU lock race, so AC:H; impact is hang-only, hence C:N/I:N/A:H.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:30 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.5 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:26 cve.org
HIGH 7.5
CVE Published
Jun 24, 2026 - 16:26 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling

A SOFTIRQ-safe to SOFTIRQ-unsafe lock order deadlock can occur in send_sigio() and send_sigurg() when a process group receives a signal.

When FASYNC is configured for a process group (PIDTYPE_PGID), both functions use read_lock(&tasklist_lock) to traverse the task list. However, they are frequently called from softirq context:

  • send_sigio() via input_inject_event -> kill_fasync
  • send_sigurg() via tcp_check_urg -> sk_send_sigurg (NET_RX_SOFTIRQ)

The deadlock is caused by the rwlock writer fairness mechanism:

  1. CPU 0 (process context) holds read_lock(&tasklist_lock) in do_wait().
  2. CPU 1 (process context) attempts write_lock(&tasklist_lock) in

fork() or exit() and spins, which blocks all new readers.

  1. CPU 0 is interrupted by a softirq (e.g., TCP URG packet reception).
  2. The softirq calls send_sigurg() and attempts to acquire

read_lock(&tasklist_lock), deadlocking because CPU 1 is waiting.

Since PID hashing and do_each_pid_task() traversals are already RCU-protected, the read_lock on tasklist_lock is no longer strictly required for safe traversal. Fix this by replacing tasklist_lock with rcu_read_lock(), aligning the process group signaling path with the single-PID path. This also mitigates a potential remote denial of service vector via TCP URG packets.

Lockdep splat: ============= WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected [...] Chain exists of: &dev->event_lock --> &f_owner->lock --> tasklist_lock

Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(tasklist_lock); local_irq_disable(); lock(&dev->event_lock); lock(&f_owner->lock); <Interrupt> lock(&dev->event_lock);

* DEADLOCK *

AnalysisAI

Remote denial of service in the Linux kernel arises from a SOFTIRQ-safe to SOFTIRQ-unsafe lock-ordering deadlock in the fasync signaling path (fs/fcntl), where send_sigio() and send_sigurg() take read_lock(&tasklist_lock) from softirq context while traversing a process group (PIDTYPE_PGID). When this collides with a writer spinning on tasklist_lock during fork()/exit(), the CPU can deadlock and hang. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send crafted TCP segment with URG flag
Delivery
Kernel enters send_sigurg in NET_RX softirq
Exploit
Softirq takes read_lock on tasklist_lock
Execution
Collides with fork/exit write_lock waiter
Persist
CPU deadlocks under reader/writer contention
Impact
System hang / denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires that a target process has FASYNC/SIGIO or SIGURG signaling configured with the file owner set to a process group (PIDTYPE_PGID), not a single PID - that is the precise feature that drives send_sigio()/send_sigurg() into the tasklist_lock traversal. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and lean toward low real-world urgency despite a 7.5 CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends TCP traffic with the URG flag set to a vulnerable host, driving tcp_check_urg->sk_send_sigurg on the NET_RX_SOFTIRQ softirq path while the kernel concurrently performs fork()/exit() and a process holds a process-group FASYNC owner. If the timing aligns with a writer queued on tasklist_lock, the CPU deadlocks, hanging the system. …
Remediation Update to a fixed stable kernel for your branch: 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1.1 or later (Vendor-released patch confirmed available; the upstream fix replaces tasklist_lock with rcu_read_lock in send_sigio/send_sigurg, e.g. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Linux systems in your environment and determine which kernel versions are affected by CVE-2026-52946. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38814 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy