Description
In the Linux kernel, the following vulnerability has been resolved:

libceph: make calc_target() set t->paused, not just clear it

Currently calc_target() clears t->paused if the request shouldn't be
paused anymore, but doesn't ever set t->paused even though it's able to
determine when the request should be paused. Setting t->paused is left
to __submit_request() which is fine for regular requests but doesn't
work for linger requests -- since __submit_request() doesn't operate
on linger requests, there is nowhere for lreq->t.paused to be set.
One consequence of this is that watches don't get reestablished on
paused -> unpaused transitions in cases where requests have been paused
long enough for the (paused) unwatch request to time out and for the
subsequent (re)watch request to enter the paused state. On top of the
watch not getting reestablished, rbd_reregister_watch() gets stuck with
rbd_dev->watch_mutex held:

rbd_register_watch
__rbd_register_watch
ceph_osdc_watch
linger_reg_commit_wait

It's waiting for lreq->reg_commit_wait to be completed, but for that to
happen the respective request needs to end up on need_resend_linger list
and be kicked when requests are unpaused. There is no chance for that
if the request in question is never marked paused in the first place.

The fact that rbd_dev->watch_mutex remains taken out forever then
prevents the image from getting unmapped -- "rbd unmap" would inevitably
hang in D state on an attempt to grab the mutex.
Published: 2026-02-04
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service from kernel deadlock during RBD operations
Action: Patch Immediately
AI Analysis

Impact

The Linux kernel libceph subsystem contains a logic flaw where the function calc_target() fails to set the paused flag for linger requests, only clearing it. This oversight prevents the system from marking certain requests as paused, causing watches to miss the re‑establishment of event notifications. As a result, the rbd_dev->watch_mutex remains held indefinitely during an rbd_unmap operation, making the operation hang in a D state and effectively rendering the associated RBD image unusable. The flaw does not crash the kernel but induces a deadlock that freezes key RBD functionalities.

Affected Systems

The vulnerability exists in the Linux kernel’s Ceph RBD subsystem (libceph). No specific kernel version range is listed, so any kernel build using the affected libceph code is potentially impacted.

Risk and Exploitability

The CVSS base score of 7.0 reflects a moderate‑high severity. The EPSS value of < 1% indicates a very low probability of exploitation at the time of analysis, and the vulnerability is not yet present in CISA’s KEV catalog. Exploitation requires the ability to trigger RBD operations such as mounting, unmounting, or sending linger requests, which typically implies local or privileged access. If an attacker can invoke an unmap or a similar action, the kernel can deadlock, resulting in a denial of service that may affect services or applications depending on the affected RBD image. The lack of an unavailable wide‑scale exploitation window suggests that the threat remains theoretical but the impact is serious if the situation arises.

Generated by OpenCVE AI on April 18, 2026 at 14:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that incorporates the libceph patch setting the paused flag correctly.
  • If an immediate kernel upgrade is not feasible, stop all RBD mounts or unmount every RBD image until the patch is applied to avoid triggering the deadlock.
  • After applying the fix, monitor kernel logs for any reference to "watch_mutex" or leftover deadlocks and verify RBD operations operate normally.

Generated by OpenCVE AI on April 18, 2026 at 14:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4475-1 linux security update
Debian DLA Debian DLA DLA-4476-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6126-1 linux security update
Debian DSA Debian DSA DSA-6127-1 linux security update
Ubuntu USN Ubuntu USN USN-8096-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8096-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8096-3 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8096-4 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8096-5 Linux kernel (NVIDIA Tegra IGX) vulnerabilities
Ubuntu USN Ubuntu USN USN-8116-1 Linux kernel (Intel IoTG Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8141-1 Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN Ubuntu USN USN-8163-1 Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8163-2 Linux kernel (Azure) vulnerabilities
History

Sat, 18 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-750

Thu, 05 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 04 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: libceph: make calc_target() set t->paused, not just clear it Currently calc_target() clears t->paused if the request shouldn't be paused anymore, but doesn't ever set t->paused even though it's able to determine when the request should be paused. Setting t->paused is left to __submit_request() which is fine for regular requests but doesn't work for linger requests -- since __submit_request() doesn't operate on linger requests, there is nowhere for lreq->t.paused to be set. One consequence of this is that watches don't get reestablished on paused -> unpaused transitions in cases where requests have been paused long enough for the (paused) unwatch request to time out and for the subsequent (re)watch request to enter the paused state. On top of the watch not getting reestablished, rbd_reregister_watch() gets stuck with rbd_dev->watch_mutex held: rbd_register_watch __rbd_register_watch ceph_osdc_watch linger_reg_commit_wait It's waiting for lreq->reg_commit_wait to be completed, but for that to happen the respective request needs to end up on need_resend_linger list and be kicked when requests are unpaused. There is no chance for that if the request in question is never marked paused in the first place. The fact that rbd_dev->watch_mutex remains taken out forever then prevents the image from getting unmapped -- "rbd unmap" would inevitably hang in D state on an attempt to grab the mutex.
Title libceph: make calc_target() set t->paused, not just clear it
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-09T08:37:42.355Z

Reserved: 2026-01-13T15:37:45.944Z

Link: CVE-2026-23047

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-02-04T16:16:20.227

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-23047

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-04T00:00:00Z

Links: CVE-2026-23047 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:15:04Z

Weaknesses