Description
In the Linux kernel, the following vulnerability has been resolved:

srcu: Use irq_work to start GP in tiny SRCU

Tiny SRCU's srcu_gp_start_if_needed() directly calls schedule_work(),
which acquires the workqueue pool->lock.

This causes a lockdep splat when call_srcu() is called with a scheduler
lock held, due to:

call_srcu() [holding pi_lock]
srcu_gp_start_if_needed()
schedule_work() -> pool->lock

workqueue_init() / create_worker() [holding pool->lock]
wake_up_process() -> try_to_wake_up() -> pi_lock

Also add irq_work_sync() to cleanup_srcu_struct() to prevent a
use-after-free if a queued irq_work fires after cleanup begins.

Tested with rcutorture SRCU-T and no lockdep warnings.

[ Thanks to Boqun for similar fix in patch "rcu: Use an intermediate irq_work
to start process_srcu()" ]
Published: 2026-05-06
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a lock ordering defect in the Linux kernel's tiny SRCU subsystem. When call_srcu() is invoked while the process interrupt (pi) lock is held, srcu_gp_start_if_needed() schedules work that internally acquires the workqueue pool lock, creating an unsafe lock ordering that can trigger a lockdep warning, potentially leading to a deadlock or kernel panic. The patch also invokes irq_work_sync during cleanup of a srcu structure to prevent a use‑after‑free if a queued irq_work fires after cleanup begins.

Affected Systems

All Linux kernel releases prior to the inclusion of commit a6fc88b22bc8d12ad52e8412c667ec0f5bf055af are affected. The vendor list indicates the entire Linux kernel line, and no specific version constraints are provided, so any kernel lacking the fix should be treated as vulnerable.

Risk and Exploitability

The CVSS score of 5.5 and EPSS score of < 1% indicate a moderate severity but a very low probability of exploitation. An attacker would need to execute kernel‑mode code that triggers the SRCU path while holding the pi lock, a scenario limited to privileged or internal kernel components. The absence of a KEV listing further suggests a low likelihood of exploitation in the wild. The primary risk is therefore a denial‑of‑service from kernel instability rather than privilege escalation or data breach.

Generated by OpenCVE AI on May 8, 2026 at 22:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes commit a6fc88b22bc8d12ad52e8412c667ec0f5bf055af, which fixes the lock ordering and use‑after‑free flaws.
  • If an immediate upgrade is not possible, backport the specific commit that corrects srcu_gp_start_if_needed and adds irq_work_sync during cleanup_srcu_struct to eliminate use‑after‑free and lock ordering issues.
  • Ensure that all queued irq_work is synchronously completed before freeing srcu structures to prevent use‑after‑free.
  • Avoid calling call_srcu while holding the pi_lock or restrict SRCU usage in critical sections to maintain safe lock ordering.

Generated by OpenCVE AI on May 8, 2026 at 22:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CWE-605

Fri, 08 May 2026 18:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
References

Wed, 06 May 2026 13:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CWE-605

Wed, 06 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: srcu: Use irq_work to start GP in tiny SRCU Tiny SRCU's srcu_gp_start_if_needed() directly calls schedule_work(), which acquires the workqueue pool->lock. This causes a lockdep splat when call_srcu() is called with a scheduler lock held, due to: call_srcu() [holding pi_lock] srcu_gp_start_if_needed() schedule_work() -> pool->lock workqueue_init() / create_worker() [holding pool->lock] wake_up_process() -> try_to_wake_up() -> pi_lock Also add irq_work_sync() to cleanup_srcu_struct() to prevent a use-after-free if a queued irq_work fires after cleanup begins. Tested with rcutorture SRCU-T and no lockdep warnings. [ Thanks to Boqun for similar fix in patch "rcu: Use an intermediate irq_work to start process_srcu()" ]
Title srcu: Use irq_work to start GP in tiny SRCU
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:18:02.663Z

Reserved: 2026-05-01T14:12:55.986Z

Link: CVE-2026-43115

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T10:16:25.290

Modified: 2026-05-08T17:51:44.920

Link: CVE-2026-43115

cve-icon Redhat

Severity :

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43115 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T23:00:16Z

Weaknesses