Description
In the Linux kernel, the following vulnerability has been resolved:

riscv: trace: fix snapshot deadlock with sbi ecall

If sbi_ecall.c's functions are traceable,

echo "__sbi_ecall:snapshot" > /sys/kernel/tracing/set_ftrace_filter

may get the kernel into a deadlock.

(Functions in sbi_ecall.c are excluded from tracing if
CONFIG_RISCV_ALTERNATIVE_EARLY is set.)

__sbi_ecall triggers a snapshot of the ringbuffer. The snapshot code
raises an IPI interrupt, which results in another call to __sbi_ecall
and another snapshot...

All it takes to get into this endless loop is one initial __sbi_ecall.
On RISC-V systems without SSTC extension, the clock events in
timer-riscv.c issue periodic sbi ecalls, making the problem easy to
trigger.

Always exclude the sbi_ecall.c functions from tracing to fix the
potential deadlock.

sbi ecalls can easiliy be logged via trace events, excluding ecall
functions from function tracing is not a big limitation.
Published: 2026-02-18
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via kernel deadlock
Action: Apply Patch
AI Analysis

Impact

In the Linux kernel, a trace configuration that includes the __sbi_ecall function can trigger an infinite loop of trace snapshots. Each snapshot raises an IPI that re‑enters __sbi_ecall, causing a recursive deadlock that freezes the kernel. The flaw stems from a scheduling deadlock vulnerability (CWE‑667) and results in a denial of service that can halt all system activity for the affected RISC‑V CPUs.

Affected Systems

All RISC‑V builds of the Linux kernel that compile for sbi_ecall.c trace, specifically kernel versions 6.11 and 6.19/RC1–RC4, are affected. The problem also exists in any future releases that have not yet incorporated the fix to exclude sbi_ecall functions from function tracing. Linux kernel vendors such as the Linux Foundation maintain these releases and provide the necessary patch.

Risk and Exploitability

The CVSS v3 score of 5.5 indicates moderate severity. EPSS is less than 1 percent, suggesting low likelihood of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. Attackers would need local privilege or the ability to write to /sys/kernel/tracing/set_ftrace_filter to inject the "__sbi_ecall" trace filter. The deadlock is triggered by a single initial __sbi_ecall, making the exploit straightforward once the trace filter is configured; systems that enable timer‑based sbi ecalls without the SSTC extension are particularly easy to target.

Generated by OpenCVE AI on April 17, 2026 at 18:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched kernel version that excludes sbi_ecall.c functions from tracing. This includes Linux 6.11+ and all stable releases that incorporate the fix.
  • If an upgrade is not immediately possible, remove "__sbi_ecall" from the ftrace filter or set CONFIG_RISCV_ALTERNATIVE_EARLY=y to automatically exclude the functions.
  • Verify that any other trace‑enabled subsystems are not configured to monitor sbi ecalls, and consider disabling function tracing for the RISC‑V core to avoid accidental deadlock.

Generated by OpenCVE AI on April 17, 2026 at 18:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-667
CPEs cpe:2.3:o:linux:linux_kernel:6.11:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 19 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References

Wed, 18 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: riscv: trace: fix snapshot deadlock with sbi ecall If sbi_ecall.c's functions are traceable, echo "__sbi_ecall:snapshot" > /sys/kernel/tracing/set_ftrace_filter may get the kernel into a deadlock. (Functions in sbi_ecall.c are excluded from tracing if CONFIG_RISCV_ALTERNATIVE_EARLY is set.) __sbi_ecall triggers a snapshot of the ringbuffer. The snapshot code raises an IPI interrupt, which results in another call to __sbi_ecall and another snapshot... All it takes to get into this endless loop is one initial __sbi_ecall. On RISC-V systems without SSTC extension, the clock events in timer-riscv.c issue periodic sbi ecalls, making the problem easy to trigger. Always exclude the sbi_ecall.c functions from tracing to fix the potential deadlock. sbi ecalls can easiliy be logged via trace events, excluding ecall functions from function tracing is not a big limitation.
Title riscv: trace: fix snapshot deadlock with sbi ecall
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-20T11:31:05.011Z

Reserved: 2026-01-13T15:37:45.987Z

Link: CVE-2026-23217

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-18T15:18:43.080

Modified: 2026-03-18T17:36:43.673

Link: CVE-2026-23217

cve-icon Redhat

Severity :

Publid Date: 2026-02-18T00:00:00Z

Links: CVE-2026-23217 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:45:25Z

Weaknesses