Description
In the Linux kernel, the following vulnerability has been resolved:

scsi: target: Fix recursive locking in __configfs_open_file()

In flush_write_buffer, &p->frag_sem is acquired and then the loaded store
function is called, which, here, is target_core_item_dbroot_store(). This
function called filp_open(), following which these functions were called
(in reverse order), according to the call trace:

down_read
__configfs_open_file
do_dentry_open
vfs_open
do_open
path_openat
do_filp_open
file_open_name
filp_open
target_core_item_dbroot_store
flush_write_buffer
configfs_write_iter

target_core_item_dbroot_store() tries to validate the new file path by
trying to open the file path provided to it; however, in this case, the bug
report shows:

db_root: not a directory: /sys/kernel/config/target/dbroot

indicating that the same configfs file was tried to be opened, on which it
is currently working on. Thus, it is trying to acquire frag_sem semaphore
of the same file of which it already holds the semaphore obtained in
flush_write_buffer(), leading to acquiring the semaphore in a nested manner
and a possibility of recursive locking.

Fix this by modifying target_core_item_dbroot_store() to use kern_path()
instead of filp_open() to avoid opening the file using filesystem-specific
function __configfs_open_file(), and further modifying it to make this fix
compatible.
Published: 2026-03-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

A recursive locking issue is described in the Linux kernel’s SCSI target configuration path. The problem arises when a file write operation triggers a sequence that re‑acquires a semaphore it already holds, potentially leading to a recursive lock. The description notes a "possibility of recursive locking," and it is inferred that if this occurs the system could lock up and become unavailable, resulting in a denial of service.

Affected Systems

All Linux kernel builds that include the SCSI target (target_core) module before the patch is merged are affected. The CVE does not provide a specific version range, so any kernel lacking the change that replaces a filp_open with kern_path in target_core_item_dbroot_store is at risk.

Risk and Exploitability

The CVSS score of 5.5 indicates a medium severity vulnerability, while the EPSS score of less than 1% suggests a low probability of active exploitation. The issue is limited to local interaction with the /sys/kernel/config/target filesystem, so the likely attack vector is local privileged file manipulation or kernel access. The vulnerability does not provide remote code execution or privilege escalation, and the CVE is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on March 26, 2026 at 15:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the patch replacing filp_open with kern_path in target_core_item_dbroot_store
  • Reboot the system after upgrading the kernel so the new lock handling takes effect
  • If an update cannot be applied immediately, restrict write permissions to /sys/kernel/config/target or unload the target_core module until the patch is installed
  • Monitor system logs for configfs errors or signs of kernel deadlock to confirm the issue is resolved

Generated by OpenCVE AI on March 26, 2026 at 15:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-773

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-764
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-773

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: scsi: target: Fix recursive locking in __configfs_open_file() In flush_write_buffer, &p->frag_sem is acquired and then the loaded store function is called, which, here, is target_core_item_dbroot_store(). This function called filp_open(), following which these functions were called (in reverse order), according to the call trace: down_read __configfs_open_file do_dentry_open vfs_open do_open path_openat do_filp_open file_open_name filp_open target_core_item_dbroot_store flush_write_buffer configfs_write_iter target_core_item_dbroot_store() tries to validate the new file path by trying to open the file path provided to it; however, in this case, the bug report shows: db_root: not a directory: /sys/kernel/config/target/dbroot indicating that the same configfs file was tried to be opened, on which it is currently working on. Thus, it is trying to acquire frag_sem semaphore of the same file of which it already holds the semaphore obtained in flush_write_buffer(), leading to acquiring the semaphore in a nested manner and a possibility of recursive locking. Fix this by modifying target_core_item_dbroot_store() to use kern_path() instead of filp_open() to avoid opening the file using filesystem-specific function __configfs_open_file(), and further modifying it to make this fix compatible.
Title scsi: target: Fix recursive locking in __configfs_open_file()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T06:03:45.806Z

Reserved: 2026-01-13T15:37:45.992Z

Link: CVE-2026-23292

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:24.357

Modified: 2026-03-25T15:41:33.977

Link: CVE-2026-23292

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23292 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:50:13Z

Weaknesses