CVE-2026-46050
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/05/2026
Last modified:
16/06/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
md/raid10: fix deadlock with check operation and nowait requests<br />
<br />
When an array check is running it will raise the barrier at which point<br />
normal requests will become blocked and increment the nr_pending value to<br />
signal there is work pending inside of wait_barrier(). NOWAIT requests<br />
do not block and so will return immediately with an error, and additionally<br />
do not increment nr_pending in wait_barrier(). Upstream change commit<br />
43806c3d5b9b ("raid10: cleanup memleak at raid10_make_request") added a<br />
call to raid_end_bio_io() to fix a memory leak when NOWAIT requests hit<br />
this condition. raid_end_bio_io() eventually calls allow_barrier() and<br />
it will unconditionally do an atomic_dec_and_test(&conf->nr_pending) even<br />
though the corresponding increment on nr_pending didn&#39;t happen in the<br />
NOWAIT case.<br />
<br />
This can be easily seen by starting a check operation while an application<br />
is doing nowait IO on the same array. This results in a deadlocked state<br />
due to nr_pending value underflowing and so the md resync thread gets stuck<br />
waiting for nr_pending to == 0.<br />
<br />
Output of r10conf state of the array when we hit this condition:<br />
<br />
crash> struct r10conf<br />
barrier = 1,<br />
nr_pending = {<br />
counter = -41<br />
},<br />
nr_waiting = 15,<br />
nr_queued = 0,<br />
<br />
Example of md_sync thread stuck waiting on raise_barrier() and other<br />
requests stuck in wait_barrier():<br />
<br />
md1_resync<br />
[] raise_barrier+0xce/0x1c0<br />
[] raid10_sync_request+0x1ca/0x1ed0<br />
[] md_do_sync+0x779/0x1110<br />
[] md_thread+0x90/0x160<br />
[] kthread+0xbe/0xf0<br />
[] ret_from_fork+0x34/0x50<br />
[] ret_from_fork_asm+0x1a/0x30<br />
<br />
kworker/u1040:2+flush-253:4<br />
[] wait_barrier+0x1de/0x220<br />
[] regular_request_wait+0x30/0x180<br />
[] raid10_make_request+0x261/0x1000<br />
[] md_handle_request+0x13b/0x230<br />
[] __submit_bio+0x107/0x1f0<br />
[] submit_bio_noacct_nocheck+0x16f/0x390<br />
[] ext4_io_submit+0x24/0x40<br />
[] ext4_do_writepages+0x254/0xc80<br />
[] ext4_writepages+0x84/0x120<br />
[] do_writepages+0x7a/0x260<br />
[] __writeback_single_inode+0x3d/0x300<br />
[] writeback_sb_inodes+0x1dd/0x470<br />
[] __writeback_inodes_wb+0x4c/0xe0<br />
[] wb_writeback+0x18b/0x2d0<br />
[] wb_workfn+0x2a1/0x400<br />
[] process_one_work+0x149/0x330<br />
[] worker_thread+0x2d2/0x410<br />
[] kthread+0xbe/0xf0<br />
[] ret_from_fork+0x34/0x50<br />
[] ret_from_fork_asm+0x1a/0x30
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.15.189 (including) | 5.15.209 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.1.146 (including) | 6.1.175 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.6.99 (including) | 6.6.140 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.12.39 (including) | 6.12.86 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.15.7 (including) | 6.16 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.16.1 (including) | 6.18.27 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (including) | 7.0.4 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.16:-:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.16:rc6:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.16:rc7:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/1cdff2937c618f81058422bbdc4974a3e7ec9379
- https://git.kernel.org/stable/c/2249983d971e6839b36284e6610390b2c217dfa1
- https://git.kernel.org/stable/c/42fe37c90184cd1568838b84b488934c3671c963
- https://git.kernel.org/stable/c/7d96f3120a7fb7210d21b520c5b6f495da6ba436
- https://git.kernel.org/stable/c/965d6162dd88cc7cc193cf7f5bfc132d8bbf0523
- https://git.kernel.org/stable/c/ae356d5eb1331d678985799f893e436314834a87
- https://git.kernel.org/stable/c/cac2106bb9a2180b288079b49ed626414fb5bc45



