CVE-2026-45949
Gravedad CVSS v3.1:
MEDIA
Tipo:
CWE-362
Ejecución concurrente utilizando recursos compartidos con una incorrecta sincronización (Condición de carrera)
Fecha de publicación:
27/05/2026
Última modificación:
16/06/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
hwrng: core - use RCU and work_struct to fix race condition<br />
<br />
Currently, hwrng_fill is not cleared until the hwrng_fillfn() thread<br />
exits. Since hwrng_unregister() reads hwrng_fill outside the rng_mutex<br />
lock, a concurrent hwrng_unregister() may call kthread_stop() again on<br />
the same task.<br />
<br />
Additionally, if hwrng_unregister() is called immediately after<br />
hwrng_register(), the stopped thread may have never been executed. Thus,<br />
hwrng_fill remains dirty even after hwrng_unregister() returns. In this<br />
case, subsequent calls to hwrng_register() will fail to start new<br />
threads, and hwrng_unregister() will call kthread_stop() on the same<br />
freed task. In both cases, a use-after-free occurs:<br />
<br />
refcount_t: addition on 0; use-after-free.<br />
WARNING: ... at lib/refcount.c:25 refcount_warn_saturate+0xec/0x1c0<br />
Call Trace:<br />
kthread_stop+0x181/0x360<br />
hwrng_unregister+0x288/0x380<br />
virtrng_remove+0xe3/0x200<br />
<br />
This patch fixes the race by protecting the global hwrng_fill pointer<br />
inside the rng_mutex lock, so that hwrng_fillfn() thread is stopped only<br />
once, and calls to kthread_run() and kthread_stop() are serialized<br />
with the lock held.<br />
<br />
To avoid deadlock in hwrng_fillfn() while being stopped with the lock<br />
held, we convert current_rng to RCU, so that get_current_rng() can read<br />
current_rng without holding the lock. To remove the lock from put_rng(),<br />
we also delay the actual cleanup into a work_struct.<br />
<br />
Since get_current_rng() no longer returns ERR_PTR values, the IS_ERR()<br />
checks are removed from its callers.<br />
<br />
With hwrng_fill protected by the rng_mutex lock, hwrng_fillfn() can no<br />
longer clear hwrng_fill itself. Therefore, if hwrng_fillfn() returns<br />
directly after current_rng is dropped, kthread_stop() would be called on<br />
a freed task_struct later. To fix this, hwrng_fillfn() calls schedule()<br />
now to keep the task alive until being stopped. The kthread_stop() call<br />
is also moved from hwrng_unregister() to drop_current_rng(), ensuring<br />
kthread_stop() is called on all possible paths where current_rng becomes<br />
NULL, so that the thread would not wait forever.
Impacto
Puntuación base 3.x
4.70
Gravedad 3.x
MEDIA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 3.17 (incluyendo) | 6.12.75 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (incluyendo) | 6.18.14 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (incluyendo) | 6.19.4 (excluyendo) |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página



