CVE-2026-46173

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> exit: prevent preemption of oopsing TASK_DEAD task<br /> <br /> When an already-exiting task oopses, make_task_dead() currently calls<br /> do_task_dead() with preemption enabled. That is forbidden:<br /> do_task_dead() calls __schedule(), which has a comment saying "WARNING:<br /> must be called with preemption disabled!".<br /> <br /> If an oopsing task is preempted in do_task_dead(), between becoming<br /> TASK_DEAD and entering the scheduler explicitly, bad things happen:<br /> finish_task_switch() assumes that once the scheduler has switched away<br /> from a TASK_DEAD task, the task can never run again and its stack is no<br /> longer needed; but that assumption apparently doesn&amp;#39;t hold if the dead<br /> task was preempted (the SM_PREEMPT case).<br /> <br /> This means that the scheduler ends up repeatedly dropping references on<br /> the dead task&amp;#39;s stack, which can lead to use-after-free or double-free<br /> of the entire task stack; in other words, two tasks can end up running<br /> on the same stack, resulting in various kinds of memory corruption.<br /> <br /> (This does not just affect "recursively oopsing" tasks; it is enough to<br /> oops once during task exit, for example in a file_operations::release<br /> handler)