CVE-2026-46050

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/05/2026
Last modified:
16/06/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> md/raid10: fix deadlock with check operation and nowait requests<br /> <br /> When an array check is running it will raise the barrier at which point<br /> normal requests will become blocked and increment the nr_pending value to<br /> signal there is work pending inside of wait_barrier(). NOWAIT requests<br /> do not block and so will return immediately with an error, and additionally<br /> do not increment nr_pending in wait_barrier(). Upstream change commit<br /> 43806c3d5b9b ("raid10: cleanup memleak at raid10_make_request") added a<br /> call to raid_end_bio_io() to fix a memory leak when NOWAIT requests hit<br /> this condition. raid_end_bio_io() eventually calls allow_barrier() and<br /> it will unconditionally do an atomic_dec_and_test(&amp;conf-&gt;nr_pending) even<br /> though the corresponding increment on nr_pending didn&amp;#39;t happen in the<br /> NOWAIT case.<br /> <br /> This can be easily seen by starting a check operation while an application<br /> is doing nowait IO on the same array. This results in a deadlocked state<br /> due to nr_pending value underflowing and so the md resync thread gets stuck<br /> waiting for nr_pending to == 0.<br /> <br /> Output of r10conf state of the array when we hit this condition:<br /> <br /> crash&gt; struct r10conf<br /> barrier = 1,<br /> nr_pending = {<br /> counter = -41<br /> },<br /> nr_waiting = 15,<br /> nr_queued = 0,<br /> <br /> Example of md_sync thread stuck waiting on raise_barrier() and other<br /> requests stuck in wait_barrier():<br /> <br /> md1_resync<br /> [] raise_barrier+0xce/0x1c0<br /> [] raid10_sync_request+0x1ca/0x1ed0<br /> [] md_do_sync+0x779/0x1110<br /> [] md_thread+0x90/0x160<br /> [] kthread+0xbe/0xf0<br /> [] ret_from_fork+0x34/0x50<br /> [] ret_from_fork_asm+0x1a/0x30<br /> <br /> kworker/u1040:2+flush-253:4<br /> [] wait_barrier+0x1de/0x220<br /> [] regular_request_wait+0x30/0x180<br /> [] raid10_make_request+0x261/0x1000<br /> [] md_handle_request+0x13b/0x230<br /> [] __submit_bio+0x107/0x1f0<br /> [] submit_bio_noacct_nocheck+0x16f/0x390<br /> [] ext4_io_submit+0x24/0x40<br /> [] ext4_do_writepages+0x254/0xc80<br /> [] ext4_writepages+0x84/0x120<br /> [] do_writepages+0x7a/0x260<br /> [] __writeback_single_inode+0x3d/0x300<br /> [] writeback_sb_inodes+0x1dd/0x470<br /> [] __writeback_inodes_wb+0x4c/0xe0<br /> [] wb_writeback+0x18b/0x2d0<br /> [] wb_workfn+0x2a1/0x400<br /> [] process_one_work+0x149/0x330<br /> [] worker_thread+0x2d2/0x410<br /> [] kthread+0xbe/0xf0<br /> [] ret_from_fork+0x34/0x50<br /> [] ret_from_fork_asm+0x1a/0x30

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.15.189 (including) 5.15.209 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.1.146 (including) 6.1.175 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.6.99 (including) 6.6.140 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.12.39 (including) 6.12.86 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.15.7 (including) 6.16 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.16.1 (including) 6.18.27 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (including) 7.0.4 (excluding)
cpe:2.3:o:linux:linux_kernel:6.16:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc7:*:*:*:*:*:*