Description
In the Linux kernel, the following vulnerability has been resolved:

mtd: rawnand: serialize lock/unlock against other NAND operations

nand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area
without holding the NAND device lock. On controllers that implement
SET_FEATURES via multiple low-level PIO commands, these can race with
concurrent UBI/UBIFS background erase/write operations that hold the
device lock, resulting in cmd_pending conflicts on the NAND controller.

Add nand_get_device()/nand_release_device() around the lock/unlock
operations to serialize them against all other NAND controller access.
Published: 2026-04-03
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Corruption / Service Disruption
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is a race condition between nand_lock/unlock and other NAND operations in the Linux kernel's MTD rawnand implementation. When the device lock is not held, lock_region directives can concurrently issue PIO commands that interfere with background erase/write tasks performed by UBI/UBIFS. These races create cmd_pending conflicts on the NAND controller, potentially leading to corrupted writes, data loss, or temporary loss of controller service. The weakness is a concurrency flaw (CWE‑820) that affects the integrity and availability of devices using NAND flash storage.

Affected Systems

All Linux systems whose kernel includes the MTD rawnand driver and that use NAND flash storage are affected. The CNA vendor list only references Linux:Linux, and no specific kernel version is provided, so any kernel containing this code path is potentially vulnerable until the patch is applied.

Risk and Exploitability

The CVSS base score is 5.5, indicating moderate severity. The EPSS score is under 1 %, suggesting a low likelihood of widespread exploitation. The vulnerability is not listed in CISA's KEV catalog. Attackers would need to trigger simultaneous NAND operations such as concurrent UBI/UBIFS background erasures and active nand_lock/unlock calls, which is most likely achievable by a local user with sufficient privileges to manipulate storage or by a malicious application. The race is local and would not provide remote code execution but could be used to cause data corruption or a denial of service. The fix requires re‑entering the device lock during lock/unlock, preventing the race.

Generated by OpenCVE AI on April 7, 2026 at 09:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a release that includes the rawnand race‑condition fix.
  • Rebuild the kernel with the updated MTD rawnand driver if using a custom kernel.
  • Verify that nand_lock and nand_unlock now execute within a device lock context.
  • Monitor system logs for NAND controller exceptions such as cmd_pending conflicts.
  • If an immediate update is not possible, minimize concurrent UBI/UBIFS background writes during maintenance operations.

Generated by OpenCVE AI on April 7, 2026 at 09:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:5.7:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-820
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: serialize lock/unlock against other NAND operations nand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area without holding the NAND device lock. On controllers that implement SET_FEATURES via multiple low-level PIO commands, these can race with concurrent UBI/UBIFS background erase/write operations that hold the device lock, resulting in cmd_pending conflicts on the NAND controller. Add nand_get_device()/nand_release_device() around the lock/unlock operations to serialize them against all other NAND controller access.
Title mtd: rawnand: serialize lock/unlock against other NAND operations
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-18T08:58:52.810Z

Reserved: 2026-01-13T15:37:46.016Z

Link: CVE-2026-23434

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T16:16:24.913

Modified: 2026-04-23T20:59:48.700

Link: CVE-2026-23434

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23434 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:54:05Z

Weaknesses