Description
In the Linux kernel, the following vulnerability has been resolved:

mtd: rawnand: serialize lock/unlock against other NAND operations

nand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area
without holding the NAND device lock. On controllers that implement
SET_FEATURES via multiple low-level PIO commands, these can race with
concurrent UBI/UBIFS background erase/write operations that hold the
device lock, resulting in cmd_pending conflicts on the NAND controller.

Add nand_get_device()/nand_release_device() around the lock/unlock
operations to serialize them against all other NAND controller access.
Published: 2026-04-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Corruption / Service Disruption
Action: Patch Immediately
AI Analysis

Impact

A race condition exists between nand_lock/unlock and other NAND operations within the Linux kernel's MTD rawnand driver. Because the driver calls chip->ops.lock_area and unlock_area without holding the device lock, concurrent UBI/UBIFS background erase/write tasks that hold the lock can interfere with PIO commands executed to set controller features. This can cause cmd_pending conflicts on the NAND controller, leading to corrupt writes, data loss, or temporary loss of controller service. The weakness is a concurrency flaw (CWE‑820).

Affected Systems

All Linux systems that use the default RBC 'mtd: rawnand' driver and have NAND flash storage are impacted. The CNA vendor list references Linux:Linux, and the list of affected CPEs includes all Linux kernel versions, so any build containing this code path is potentially vulnerable until the patch is applied.

Risk and Exploitability

The CVSS base score of 7.1 indicates high severity. The EPSS score is under 1 %, suggesting a low probability of widespread exploitation. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is local: an attacker with sufficient privileges to trigger concurrent NAND operations—such as a privileged user or a malicious application that initiates UBI/UBIFS background erasures while nand_lock/unlock is invoked—could exploit the race. This is inferred from the description, as the official advisory does not detail an attack step. The outcome would be data corruption or a denial of service to the storage subsystem, but it does not provide remote code execution.

Generated by OpenCVE AI on April 28, 2026 at 21:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a release that contains the rawnand race‑condition fix.
  • If you build your own kernel, rebuild it with the updated MTD rawnand driver that encloses nand_lock/unlock calls with nand_get_device()/nand_release_device().
  • If an immediate kernel update is not feasible, schedule maintenance so that concurrent UBI/UBIFS background erase/write operations and nand_lock/unlock calls are minimized during critical periods.

Generated by OpenCVE AI on April 28, 2026 at 21:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DLA Debian DLA DLA-4606-1 linux security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Thu, 23 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:5.7:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-820
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: serialize lock/unlock against other NAND operations nand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area without holding the NAND device lock. On controllers that implement SET_FEATURES via multiple low-level PIO commands, these can race with concurrent UBI/UBIFS background erase/write operations that hold the device lock, resulting in cmd_pending conflicts on the NAND controller. Add nand_get_device()/nand_release_device() around the lock/unlock operations to serialize them against all other NAND controller access.
Title mtd: rawnand: serialize lock/unlock against other NAND operations
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:06:50.000Z

Reserved: 2026-01-13T15:37:46.016Z

Link: CVE-2026-23434

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-04-03T16:16:24.913

Modified: 2026-04-27T14:16:32.590

Link: CVE-2026-23434

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23434 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T22:00:14Z

Weaknesses