Description
In the Linux kernel, the following vulnerability has been resolved:

scsi: core: Wake up the error handler when final completions race against each other

The fragile ordering between marking commands completed or failed so
that the error handler only wakes when the last running command
completes or times out has race conditions. These race conditions can
cause the SCSI layer to fail to wake the error handler, leaving I/O
through the SCSI host stuck as the error state cannot advance.

First, there is an memory ordering issue within scsi_dec_host_busy().
The write which clears SCMD_STATE_INFLIGHT may be reordered with reads
counting in scsi_host_busy(). While the local CPU will see its own
write, reordering can allow other CPUs in scsi_dec_host_busy() or
scsi_eh_inc_host_failed() to see a raised busy count, causing no CPU to
see a host busy equal to the host_failed count.

This race condition can be prevented with a memory barrier on the error
path to force the write to be visible before counting host busy
commands.

Second, there is a general ordering issue with scsi_eh_inc_host_failed(). By
counting busy commands before incrementing host_failed, it can race with a
final command in scsi_dec_host_busy(), such that scsi_dec_host_busy() does
not see host_failed incremented but scsi_eh_inc_host_failed() counts busy
commands before SCMD_STATE_INFLIGHT is cleared by scsi_dec_host_busy(),
resulting in neither waking the error handler task.

This needs the call to scsi_host_busy() to be moved after host_failed is
incremented to close the race condition.
Published: 2026-02-04
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service due to stuck SCSI I/O
Action: Apply Patch
AI Analysis

Impact

The vulnerability stems from a race condition in the Linux kernel’s SCSI core that can prevent the error handler from being woken after the final command completes or times out. The issue arises from improper memory ordering between marking commands as complete or failed, causing the host busy count and failed count to become unsynchronized. As a result, SCSI host I/O operations can remain indefinitely stalled, effectively denying service on affected devices.

Affected Systems

All Linux kernel builds that include the resident SCSI core implementation are susceptible, including the 6.19 release candidates (rc1 through rc6) and presumably later stable releases until the bug is patched. The problem is present in the core kernel, affecting any system that relies on SCSI host functionality.

Risk and Exploitability

Based on the description, it is inferred that the attack vector is a race condition exploited during concurrent SCSI I/O commands. Exploitation would require precise timing of multiple concurrent SCSI commands and likely local or privileged access to the affected system. The CVSS score of 4.7 indicates a moderate severity. The EPSS score is below 1%, suggesting a very low likelihood of imminent exploitation, and the vulnerability is not listed in the CISA KEV catalog. While remote exploitation is improbable, an attacker with sufficient privileges could potentially abuse the race to render a device non‑functional. The main vector is race condition exploitation within kernel space during normal I/O operations.

Generated by OpenCVE AI on April 18, 2026 at 13:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that incorporates the fix for this race condition, such as a release that includes the listed commit set;
  • Reboot the system so the new kernel is fully active and the offending race condition is resolved;
  • If the patch cannot be applied immediately, monitor kernel logs for SCSI host errors and consider disabling or limiting SCSI services until a fixed kernel is available.

Generated by OpenCVE AI on April 18, 2026 at 13:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4475-1 linux security update
Debian DLA Debian DLA DLA-4476-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6126-1 linux security update
Debian DSA Debian DSA DSA-6127-1 linux security update
History

Sat, 18 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
References

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Wed, 18 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Fri, 06 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
References

Thu, 05 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Wed, 04 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: scsi: core: Wake up the error handler when final completions race against each other The fragile ordering between marking commands completed or failed so that the error handler only wakes when the last running command completes or times out has race conditions. These race conditions can cause the SCSI layer to fail to wake the error handler, leaving I/O through the SCSI host stuck as the error state cannot advance. First, there is an memory ordering issue within scsi_dec_host_busy(). The write which clears SCMD_STATE_INFLIGHT may be reordered with reads counting in scsi_host_busy(). While the local CPU will see its own write, reordering can allow other CPUs in scsi_dec_host_busy() or scsi_eh_inc_host_failed() to see a raised busy count, causing no CPU to see a host busy equal to the host_failed count. This race condition can be prevented with a memory barrier on the error path to force the write to be visible before counting host busy commands. Second, there is a general ordering issue with scsi_eh_inc_host_failed(). By counting busy commands before incrementing host_failed, it can race with a final command in scsi_dec_host_busy(), such that scsi_dec_host_busy() does not see host_failed incremented but scsi_eh_inc_host_failed() counts busy commands before SCMD_STATE_INFLIGHT is cleared by scsi_dec_host_busy(), resulting in neither waking the error handler task. This needs the call to scsi_host_busy() to be moved after host_failed is incremented to close the race condition.
Title scsi: core: Wake up the error handler when final completions race against each other
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-18T08:57:18.628Z

Reserved: 2026-01-13T15:37:45.968Z

Link: CVE-2026-23110

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-02-04T17:16:21.880

Modified: 2026-04-18T09:16:13.907

Link: CVE-2026-23110

cve-icon Redhat

Severity : Low

Publid Date: 2026-02-04T00:00:00Z

Links: CVE-2026-23110 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:00:02Z

Weaknesses