CVE-2026-46063
Gravedad CVSS v3.1:
MEDIA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
27/05/2026
Última modificación:
16/06/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
x86/shstk: Prevent deadlock during shstk sigreturn<br />
<br />
During sigreturn the shadow stack signal frame is popped. The kernel does<br />
this by reading the shadow stack using normal read accesses. When it can&#39;t<br />
assume the memory is shadow stack, it takes extra steps to makes sure it is<br />
reading actual shadow stack memory and not other normal readable memory. It<br />
does this by holding the mmap read lock while doing the access and checking<br />
the flags of the VMA.<br />
<br />
Unfortunately that is not safe. If the read of the shadow stack sigframe<br />
hits a page fault, the fault handler will try to recursively grab another<br />
mmap read lock. This normally works ok, but if a writer on another CPU is<br />
also waiting, the second read lock could fail and cause a deadlock.<br />
<br />
Fix this by not holding mmap lock during the read access to userspace.<br />
<br />
Instead use mmap_lock_speculate_...() to watch for changes between dropping<br />
mmap lock and the userspace access. Retry if anything grabbed an mmap write<br />
lock in between and could have changed the VMA.<br />
<br />
These mmap_lock_speculate_...() helpers use mm::mm_lock_seq, which is only<br />
available when PER_VMA_LOCK is configured. So make X86_USER_SHADOW_STACK<br />
depend on it. On x86, PER_VMA_LOCK is a default configuration for SMP<br />
kernels. So drop support for the other configs under the assumption that<br />
the !SMP shadow stack user base does not exist.<br />
<br />
Currently there is a check that skips the lookup work when the SSP can be<br />
assumed to be on a shadow stack. While reorganizing the function, remove<br />
the optimization to make the tricky code flows more common, such that<br />
issues like this cannot escape detection for so long.
Impacto
Puntuación base 3.x
5.50
Gravedad 3.x
MEDIA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.6 (incluyendo) | 6.6.140 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (incluyendo) | 6.12.88 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (incluyendo) | 6.18.27 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (incluyendo) | 7.0.4 (excluyendo) |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/3d29db827502067626062f5c74dd502d14ab15bc
- https://git.kernel.org/stable/c/4f3374c990fb2adec06d20fd6d780927811c9aa0
- https://git.kernel.org/stable/c/9874b2917b9fbc30956fee209d3c4aa47201c64e
- https://git.kernel.org/stable/c/d042d69b417515959e49021fef008c9b04a99bd5
- https://git.kernel.org/stable/c/e2c2b044458cbf22da05264fa707308e8d4f86f9



