Description
In the Linux kernel, the following vulnerability has been resolved:

drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock()

Even though we check that we "should" be able to do lc_get_cumulative()
while holding the device->al_lock spinlock, it may still fail,
if some other code path decided to do lc_try_lock() with bad timing.

If that happened, we logged "LOGIC BUG for enr=...",
but still did not return an error.

The rest of the code now assumed that this request has references
for the relevant activity log extents.

The implcations are that during an active resync, mutual exclusivity of
resync versus application IO is not guaranteed. And a potential crash
at this point may not realizs that these extents could have been target
of in-flight IO and would need to be resynced just in case.

Also, once the request completes, it will give up activity log references it
does not even hold, which will trigger a BUG_ON(refcnt == 0) in lc_put().

Fix:

Do not crash the kernel for a condition that is harmless during normal
operation: also catch "e->refcnt == 0", not only "e == NULL"
when being noisy about "al_complete_io() called on inactive extent %u\n".

And do not try to be smart and "guess" whether something will work, then
be surprised when it does not.
Deal with the fact that it may or may not work. If it does not, remember a
possible "partially in activity log" state (only possible for requests that
cross extent boundaries), and return an error code from
drbd_al_begin_io_nonblock().

A latter call for the same request will then resume from where we left off.
Published: 2026-03-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (Kernel Crash)
Action: Immediate Patch
AI Analysis

Impact

A logic bug in the Linux kernel’s DRBD module can allow the kernel to crash during an active resynchronization of disk replicas. The issue originates when the code incorrectly handles a situation where a lock acquisition fails while holding the al_lock spinlock, causing a LOGIC BUG log message but the request is not aborted. This progresses to an attempt to release activity log references that were never granted, which triggers a BUG_ON and results in a kernel panic. The crash can also lead to incomplete resynchronization and data inconsistency if the affected extents were mid‑flight IO. The vulnerability therefore poses a confidentiality, integrity, and availability risk for systems using DRBD.

Affected Systems

The flaw is present in all Linux kernel distributions that include the DRBD module, as indicated by the CPE entry for linux:linux_kernel. No specific kernel or DRBD version numbers are provided, meaning that any system deploying DRBD is potentially impacted. The problem is tied to the interaction of active resynchronization and application I/O on the kernel level.

Risk and Exploitability

The CVSS scores are not disclosed, but the EPSS score is reported to be less than 1%, suggesting a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the most probable attack vector is a local or privileged user triggering the failure during DRBD resynchronization. Compromise is unlikely without such privileged context, yet the impact of a kernel crash is critical. Attackers would need to induce specific timing conditions that cause the lock failure, a nontrivial task, which further lowers the overall exploitation risk.

Generated by OpenCVE AI on March 26, 2026 at 14:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check your distribution’s security advisories for an updated Linux kernel that contains the DRBD logic bug fix. If an updated kernel is available, apply the patch following the vendor’s instructions, or install the newer kernel package. After upgrading, reboot the system to load the patched kernel. Verify that the DRBD package itself is up to date and that any custom kernels or modules are rebuilt against the new kernel header files.

Generated by OpenCVE AI on March 26, 2026 at 14:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-413
References

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock() Even though we check that we "should" be able to do lc_get_cumulative() while holding the device->al_lock spinlock, it may still fail, if some other code path decided to do lc_try_lock() with bad timing. If that happened, we logged "LOGIC BUG for enr=...", but still did not return an error. The rest of the code now assumed that this request has references for the relevant activity log extents. The implcations are that during an active resync, mutual exclusivity of resync versus application IO is not guaranteed. And a potential crash at this point may not realizs that these extents could have been target of in-flight IO and would need to be resynced just in case. Also, once the request completes, it will give up activity log references it does not even hold, which will trigger a BUG_ON(refcnt == 0) in lc_put(). Fix: Do not crash the kernel for a condition that is harmless during normal operation: also catch "e->refcnt == 0", not only "e == NULL" when being noisy about "al_complete_io() called on inactive extent %u\n". And do not try to be smart and "guess" whether something will work, then be surprised when it does not. Deal with the fact that it may or may not work. If it does not, remember a possible "partially in activity log" state (only possible for requests that cross extent boundaries), and return an error code from drbd_al_begin_io_nonblock(). A latter call for the same request will then resume from where we left off.
Title drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-18T08:58:08.080Z

Reserved: 2026-01-13T15:37:46.000Z

Link: CVE-2026-23356

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:34.270

Modified: 2026-04-18T09:16:20.740

Link: CVE-2026-23356

cve-icon Redhat

Severity :

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23356 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:49:20Z

Weaknesses