{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23368", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.003Z", "datePublished": "2026-03-25T10:27:49.889Z", "dateUpdated": "2026-03-25T10:27:49.889Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:49.889Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: register phy led_triggers during probe to avoid AB-BA deadlock\n\nThere is an AB-BA deadlock when both LEDS_TRIGGER_NETDEV and\nLED_TRIGGER_PHY are enabled:\n\n[ 1362.049207] [<8054e4b8>] led_trigger_register+0x5c/0x1fc <-- Trying to get lock \"triggers_list_lock\" via down_write(&triggers_list_lock);\n[ 1362.054536] [<80662830>] phy_led_triggers_register+0xd0/0x234\n[ 1362.060329] [<8065e200>] phy_attach_direct+0x33c/0x40c\n[ 1362.065489] [<80651fc4>] phylink_fwnode_phy_connect+0x15c/0x23c\n[ 1362.071480] [<8066ee18>] mtk_open+0x7c/0xba0\n[ 1362.075849] [<806d714c>] __dev_open+0x280/0x2b0\n[ 1362.080384] [<806d7668>] __dev_change_flags+0x244/0x24c\n[ 1362.085598] [<806d7698>] dev_change_flags+0x28/0x78\n[ 1362.090528] [<807150e4>] dev_ioctl+0x4c0/0x654 <-- Hold lock \"rtnl_mutex\" by calling rtnl_lock();\n[ 1362.094985] [<80694360>] sock_ioctl+0x2f4/0x4e0\n[ 1362.099567] [<802e9c4c>] sys_ioctl+0x32c/0xd8c\n[ 1362.104022] [<80014504>] syscall_common+0x34/0x58\n\nHere LED_TRIGGER_PHY is registering LED triggers during phy_attach\nwhile holding RTNL and then taking triggers_list_lock.\n\n[ 1362.191101] [<806c2640>] register_netdevice_notifier+0x60/0x168 <-- Trying to get lock \"rtnl_mutex\" via rtnl_lock();\n[ 1362.197073] [<805504ac>] netdev_trig_activate+0x194/0x1e4\n[ 1362.202490] [<8054e28c>] led_trigger_set+0x1d4/0x360 <-- Hold lock \"triggers_list_lock\" by down_read(&triggers_list_lock);\n[ 1362.207511] [<8054eb38>] led_trigger_write+0xd8/0x14c\n[ 1362.212566] [<80381d98>] sysfs_kf_bin_write+0x80/0xbc\n[ 1362.217688] [<8037fcd8>] kernfs_fop_write_iter+0x17c/0x28c\n[ 1362.223174] [<802cbd70>] vfs_write+0x21c/0x3c4\n[ 1362.227712] [<802cc0c4>] ksys_write+0x78/0x12c\n[ 1362.232164] [<80014504>] syscall_common+0x34/0x58\n\nHere LEDS_TRIGGER_NETDEV is being enabled on an LED. It first takes\ntriggers_list_lock and then RTNL. A classical AB-BA deadlock.\n\nphy_led_triggers_registers() does not require the RTNL, it does not\nmake any calls into the network stack which require protection. There\nis also no requirement the PHY has been attached to a MAC, the\ntriggers only make use of phydev state. This allows the call to\nphy_led_triggers_registers() to be placed elsewhere. PHY probe() and\nrelease() don't hold RTNL, so solving the AB-BA deadlock."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/phy/phy_device.c"], "versions": [{"version": "06f502f57d0d7728f9fa0f157ec5e4111ddb98f6", "lessThan": "c6ffc2d2338d325e1edd0c702e3ee623aa5fdc6a", "status": "affected", "versionType": "git"}, {"version": "06f502f57d0d7728f9fa0f157ec5e4111ddb98f6", "lessThan": "c33523b8fd2d4c504ada18cd93f511f2a8f84217", "status": "affected", "versionType": "git"}, {"version": "06f502f57d0d7728f9fa0f157ec5e4111ddb98f6", "lessThan": "241cd64cf2e32b28ead151b1795cd8fef2b6e482", "status": "affected", "versionType": "git"}, {"version": "06f502f57d0d7728f9fa0f157ec5e4111ddb98f6", "lessThan": "2764dcb3c35de4410f642afc62cf979727470575", "status": "affected", "versionType": "git"}, {"version": "06f502f57d0d7728f9fa0f157ec5e4111ddb98f6", "lessThan": "cde2d0b5ab5d03b5b6f17d4f654d8b30ccf36757", "status": "affected", "versionType": "git"}, {"version": "06f502f57d0d7728f9fa0f157ec5e4111ddb98f6", "lessThan": "c8dbdc6e380e7e96a51706db3e4b7870d8a9402d", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/phy/phy_device.c"], "versions": [{"version": "4.16", "status": "affected"}, {"version": "0", "lessThan": "4.16", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.16", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.16", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.16", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.16", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.16", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.16", "versionEndExcluding": "7.0-rc2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/c6ffc2d2338d325e1edd0c702e3ee623aa5fdc6a"}, {"url": "https://git.kernel.org/stable/c/c33523b8fd2d4c504ada18cd93f511f2a8f84217"}, {"url": "https://git.kernel.org/stable/c/241cd64cf2e32b28ead151b1795cd8fef2b6e482"}, {"url": "https://git.kernel.org/stable/c/2764dcb3c35de4410f642afc62cf979727470575"}, {"url": "https://git.kernel.org/stable/c/cde2d0b5ab5d03b5b6f17d4f654d8b30ccf36757"}, {"url": "https://git.kernel.org/stable/c/c8dbdc6e380e7e96a51706db3e4b7870d8a9402d"}], "title": "net: phy: register phy led_triggers during probe to avoid AB-BA deadlock", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: register phy led_triggers during probe to avoid AB-BA deadlock\n\nThere is an AB-BA deadlock when both LEDS_TRIGGER_NETDEV and\nLED_TRIGGER_PHY are enabled:\n\n[ 1362.049207] [<8054e4b8>] led_trigger_register+0x5c/0x1fc <-- Trying to get lock \"triggers_list_lock\" via down_write(&triggers_list_lock);\n[ 1362.054536] [<80662830>] phy_led_triggers_register+0xd0/0x234\n[ 1362.060329] [<8065e200>] phy_attach_direct+0x33c/0x40c\n[ 1362.065489] [<80651fc4>] phylink_fwnode_phy_connect+0x15c/0x23c\n[ 1362.071480] [<8066ee18>] mtk_open+0x7c/0xba0\n[ 1362.075849] [<806d714c>] __dev_open+0x280/0x2b0\n[ 1362.080384] [<806d7668>] __dev_change_flags+0x244/0x24c\n[ 1362.085598] [<806d7698>] dev_change_flags+0x28/0x78\n[ 1362.090528] [<807150e4>] dev_ioctl+0x4c0/0x654 <-- Hold lock \"rtnl_mutex\" by calling rtnl_lock();\n[ 1362.094985] [<80694360>] sock_ioctl+0x2f4/0x4e0\n[ 1362.099567] [<802e9c4c>] sys_ioctl+0x32c/0xd8c\n[ 1362.104022] [<80014504>] syscall_common+0x34/0x58\n\nHere LED_TRIGGER_PHY is registering LED triggers during phy_attach\nwhile holding RTNL and then taking triggers_list_lock.\n\n[ 1362.191101] [<806c2640>] register_netdevice_notifier+0x60/0x168 <-- Trying to get lock \"rtnl_mutex\" via rtnl_lock();\n[ 1362.197073] [<805504ac>] netdev_trig_activate+0x194/0x1e4\n[ 1362.202490] [<8054e28c>] led_trigger_set+0x1d4/0x360 <-- Hold lock \"triggers_list_lock\" by down_read(&triggers_list_lock);\n[ 1362.207511] [<8054eb38>] led_trigger_write+0xd8/0x14c\n[ 1362.212566] [<80381d98>] sysfs_kf_bin_write+0x80/0xbc\n[ 1362.217688] [<8037fcd8>] kernfs_fop_write_iter+0x17c/0x28c\n[ 1362.223174] [<802cbd70>] vfs_write+0x21c/0x3c4\n[ 1362.227712] [<802cc0c4>] ksys_write+0x78/0x12c\n[ 1362.232164] [<80014504>] syscall_common+0x34/0x58\n\nHere LEDS_TRIGGER_NETDEV is being enabled on an LED. It first takes\ntriggers_list_lock and then RTNL. A classical AB-BA deadlock.\n\nphy_led_triggers_registers() does not require the RTNL, it does not\nmake any calls into the network stack which require protection. There\nis also no requirement the PHY has been attached to a MAC, the\ntriggers only make use of phydev state. This allows the call to\nphy_led_triggers_registers() to be placed elsewhere. PHY probe() and\nrelease() don't hold RTNL, so solving the AB-BA deadlock."}], "id": "CVE-2026-23368", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:36.167", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/241cd64cf2e32b28ead151b1795cd8fef2b6e482"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2764dcb3c35de4410f642afc62cf979727470575"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c33523b8fd2d4c504ada18cd93f511f2a8f84217"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c6ffc2d2338d325e1edd0c702e3ee623aa5fdc6a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c8dbdc6e380e7e96a51706db3e4b7870d8a9402d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cde2d0b5ab5d03b5b6f17d4f654d8b30ccf36757"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: net: phy: register phy led_triggers during probe to avoid AB-BA deadlock", "id": "2451175", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451175"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-833", "details": ["A flaw was found in the Linux kernel. An AB-BA deadlock can occur within the net: phy subsystem when registering LED triggers. This vulnerability arises because LED_TRIGGER_PHY attempts to acquire the rtnl_mutex and then triggers_list_lock, while LEDS_TRIGGER_NETDEV acquires these locks in the reverse order. This conflicting lock acquisition sequence can lead to a system hang, resulting in a Denial of Service (DoS)."], "name": "CVE-2026-23368", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23368\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23368\nhttps://lore.kernel.org/linux-cve-announce/2026032540-CVE-2026-23368-c240@gregkh/T"], "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-03-25T12:51:24.864954+00:00", "value": {"mitigation_remediation": ["Apply a kernel patch that includes the commit moving the LED trigger registration to the PHY probe path", "If a patched kernel is unavailable, disable one of the conflicting LED triggers (either LED_TRIGGER_NETDEV or LED_TRIGGER_PHY) in the kernel configuration or via boot parameters", "If LED triggers are exposed through sysfs, restrict write permissions or temporarily remove access until the patch is applied"], "summary": {"action": "Patch", "impact": "Denial of Service (system deadlock)"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to any Linux kernel that builds with both LED_TRIGGER_NETDEV and LED_TRIGGER_PHY enabled. Because no specific kernel version range is supplied, the defect may be present in a broad segment of the kernel timeline. Administrators should verify whether these triggers are compiled into their kernel or exposed through sysfs in their environment.", "description_and_impact": "The flaw arises when the Linux kernel\u2019s PHY subsystem registers LED triggers while holding the rtnl_mutex and subsequently attempts to acquire the triggers_list_lock in the reverse order used by other code paths. This inverted lock ordering can lead to an AB\u2011BA deadlock that stalls kernel threads and can lock up the system. The weakness is a lock\u2011ordering issue that results in a local denial of service.", "risk_and_exploitability": "The issue requires local access; an attacker with the ability to load a PHY driver, enable a network device, or write to the LED trigger sysfs entries may trigger the deadlock. No remote exploitation path is documented, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. The fix removes the reverse lock ordering by moving the LED trigger registration to the PHY probe stage, preventing the deadlock."}}}}, "created": "2026-03-25T21:31:47.755060+00:00", "updated": "2026-03-25T21:31:47.755099+00:00", "vendors": [], "weaknesses": ["CWE-754"]}