Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-45949

Gravedad CVSS v3.1:
MEDIA
Tipo:
CWE-362 Ejecución concurrente utilizando recursos compartidos con una incorrecta sincronización (Condición de carrera)
Fecha de publicación:
27/05/2026
Última modificación:
16/06/2026

Descripción

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hwrng: core - use RCU and work_struct to fix race condition<br /> <br /> Currently, hwrng_fill is not cleared until the hwrng_fillfn() thread<br /> exits. Since hwrng_unregister() reads hwrng_fill outside the rng_mutex<br /> lock, a concurrent hwrng_unregister() may call kthread_stop() again on<br /> the same task.<br /> <br /> Additionally, if hwrng_unregister() is called immediately after<br /> hwrng_register(), the stopped thread may have never been executed. Thus,<br /> hwrng_fill remains dirty even after hwrng_unregister() returns. In this<br /> case, subsequent calls to hwrng_register() will fail to start new<br /> threads, and hwrng_unregister() will call kthread_stop() on the same<br /> freed task. In both cases, a use-after-free occurs:<br /> <br /> refcount_t: addition on 0; use-after-free.<br /> WARNING: ... at lib/refcount.c:25 refcount_warn_saturate+0xec/0x1c0<br /> Call Trace:<br /> kthread_stop+0x181/0x360<br /> hwrng_unregister+0x288/0x380<br /> virtrng_remove+0xe3/0x200<br /> <br /> This patch fixes the race by protecting the global hwrng_fill pointer<br /> inside the rng_mutex lock, so that hwrng_fillfn() thread is stopped only<br /> once, and calls to kthread_run() and kthread_stop() are serialized<br /> with the lock held.<br /> <br /> To avoid deadlock in hwrng_fillfn() while being stopped with the lock<br /> held, we convert current_rng to RCU, so that get_current_rng() can read<br /> current_rng without holding the lock. To remove the lock from put_rng(),<br /> we also delay the actual cleanup into a work_struct.<br /> <br /> Since get_current_rng() no longer returns ERR_PTR values, the IS_ERR()<br /> checks are removed from its callers.<br /> <br /> With hwrng_fill protected by the rng_mutex lock, hwrng_fillfn() can no<br /> longer clear hwrng_fill itself. Therefore, if hwrng_fillfn() returns<br /> directly after current_rng is dropped, kthread_stop() would be called on<br /> a freed task_struct later. To fix this, hwrng_fillfn() calls schedule()<br /> now to keep the task alive until being stopped. The kthread_stop() call<br /> is also moved from hwrng_unregister() to drop_current_rng(), ensuring<br /> kthread_stop() is called on all possible paths where current_rng becomes<br /> NULL, so that the thread would not wait forever.

Productos y versiones vulnerables

CPE Desde Hasta
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 3.17 (incluyendo) 6.12.75 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (incluyendo) 6.18.14 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (incluyendo) 6.19.4 (excluyendo)