CVE-2026-45855 - Vulnerability Details

- ata: libata-scsi: avoid Non-NCQ command starvation

Description

In the Linux kernel, the following vulnerability has been resolved:

ata: libata-scsi: avoid Non-NCQ command starvation

When a non-NCQ command is issued while NCQ commands are being executed,
ata_scsi_qc_issue() indicates to the SCSI layer that the command issuing
should be deferred by returning SCSI_MLQUEUE_XXX_BUSY. This command
deferring is correct and as mandated by the ACS specifications since
NCQ and non-NCQ commands cannot be mixed.

However, in the case of a host adapter using multiple submission queues,
when the target device is under a constant load of NCQ commands, there
are no guarantees that requeueing the non-NCQ command will be executed
later and it may be deferred again repeatedly as other submission queues
can constantly issue NCQ commands from different CPUs ahead of the
non-NCQ command. This can lead to very long delays for the execution of
non-NCQ commands, and even complete starvation for these commands in the
worst case scenario.

Since the block layer and the SCSI layer do not distinguish between
queueable (NCQ) and non queueable (non-NCQ) commands, libata-scsi SAT
implementation must ensure forward progress for non-NCQ commands in the
presence of NCQ command traffic. This is similar to what SAS HBAs with a
hardware/firmware based SAT implementation do.

Implement such forward progress guarantee by limiting requeueing of
non-NCQ commands from ata_scsi_qc_issue(): when a non-NCQ command is
received and NCQ commands are in-flight, do not force a requeue of the
non-NCQ command by returning SCSI_MLQUEUE_XXX_BUSY and instead return 0
to indicate that the command was accepted but hold on to the qc using
the new deferred_qc field of struct ata_port.

This deferred qc will be issued using the work item deferred_qc_work
running the function ata_scsi_deferred_qc_work() once all in-flight
commands complete, which is checked with the port qc_defer() callback
return value indicating that no further delay is necessary. This check
is done using the helper function ata_scsi_schedule_deferred_qc() which
is called from ata_scsi_qc_complete(). This thus excludes this mechanism
from all internal non-NCQ commands issued by ATA EH.

When a port deferred_qc is non NULL, that is, the port has a command
waiting for the device queue to drain, the issuing of all incoming
commands (both NCQ and non-NCQ) is deferred using the regular busy
mechanism. This simplifies the code and also avoids potential denial of
service problems if a user issues too many non-NCQ commands.

Finally, whenever ata EH is scheduled, regardless of the reason, a
deferred qc is always requeued so that it can be retried once EH
completes. This is done by calling the function
ata_scsi_requeue_deferred_qc() from ata_eh_set_pending(). This avoids
the need for any special processing for the deferred qc in case of NCQ
error, link or device reset, or device timeout.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability lies in the Linux kernel’s libata-scsi subsystem, where non-Name-Concatenated Queue (Non-NCQ) commands can be repeatedly deferred when a host adapter is busy with many NCQ commands. Because the SCSI and block layers treat all commands the same, the system may requeue non-NCQ commands many times, leading to extensive delays or complete starvation of these commands. This starvation can block I/O operations from the device, resulting in a denial‑of‑service condition for clients that rely on timely responses from the SCSI device. The impact is limited to availability; confidentiality or integrity are not directly affected. The primary weakness is an uncontrolled resource consumption scenario that allows an attacker to induce long queue waits or starve non‑NCQ commands.

Affected Systems

Any Linux system running a kernel version prior to the inclusion of the described patch is affected. The affected code resides in the libata-scsi component of the Linux kernel. No specific product versions are listed, so the vulnerability applies to all kernel releases that have not integrated the new forward‑progress guarantee for non‑NCQ commands.

Risk and Exploitability

The vulnerability carries a moderate risk profile. The CVSS score is not publicly disclosed, and the EPSS score is unavailable, indicating no large body of exploitation evidence. The vulnerability is not listed in the CISA KEV catalog. An attacker would need to be able to issue many non‑NCQ SCSI commands to a target device, which typically requires local or privileged access. Nevertheless, systems that constantly transfer large volumes of NCQ traffic could be unexpectedly degraded if an adversary amplifies non‑NCQ traffic to trigger prolonged starvation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`bdb01301f3ea51a59eff252b06643fc1fe843e57`	affected	< ce22aaed011206fed9cbd8c9c2d44718607f31ee
`bdb01301f3ea51a59eff252b06643fc1fe843e57`	affected	< 888cd7e40adb2ef4af1b4d3b6e2e83ad409ae8c2
`bdb01301f3ea51a59eff252b06643fc1fe843e57`	affected	< 5d61a38a60e62750526d94663b69b7ac5c7f07a5
`bdb01301f3ea51a59eff252b06643fc1fe843e57`	affected	< 0ea84089dbf62a92dc7889c79e6b18fc89260808

Linux

affected

Version	Status	Constraints
`5.10`	affected	—
`0`	unaffected	< 5.10
`6.12.77`	unaffected	≤ 6.12.*
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[bdb01301f3ea51a59eff252b06643fc1fe843e57,ce22aaed011206fed9cbd8c9c2d44718607f31ee)`	affected	code_commit	—
`[bdb01301f3ea51a59eff252b06643fc1fe843e57,888cd7e40adb2ef4af1b4d3b6e2e83ad409ae8c2)`	affected	code_commit	—
`[bdb01301f3ea51a59eff252b06643fc1fe843e57,5d61a38a60e62750526d94663b69b7ac5c7f07a5)`	affected	code_commit	—
`[bdb01301f3ea51a59eff252b06643fc1fe843e57,0ea84089dbf62a92dc7889c79e6b18fc89260808)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.10`	affected	calver	—
`[0,5.10)`	unaffected	generic	—
`[6.12.77,6.13.0)`	unaffected	semver	—
`[6.18.14,6.19.0)`	unaffected	semver	—
`[6.19.4,6.20.0)`	unaffected	semver	—
`[0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to the latest version that incorporates the libata‑scsi command‑starvation fix (commits 0ea84089, 5d61a38a, 888cd7e4, ce22aaed).
If an immediate kernel upgrade is not feasible, limit the concurrent NCQ load on the device by adjusting I/O scheduler parameters or disabling NCQ on devices that are heavily used for critical operations.
Apply any vendor‑provided workarounds or configuration changes that reduce the frequency of non‑NCQ I/O requests to the affected storage devices.

Generated by OpenCVE AI on May 27, 2026 at 15:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0ea84089dbf62a92dc7889c79e6b18fc89260808
https://git.kernel.org/stable/c/5d61a38a60e62750526d94663b69b7ac5c7f07a5
https://git.kernel.org/stable/c/888cd7e40adb2ef4af1b4d3b6e2e83ad409ae8c2
https://git.kernel.org/stable/c/ce22aaed011206fed9cbd8c9c2d44718607f31ee

History

Wed, 27 May 2026 16:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-400

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ata: libata-scsi: avoid Non-NCQ command starvation When a non-NCQ command is issued while NCQ commands are being executed, ata_scsi_qc_issue() indicates to the SCSI layer that the command issuing should be deferred by returning SCSI_MLQUEUE_XXX_BUSY. This command deferring is correct and as mandated by the ACS specifications since NCQ and non-NCQ commands cannot be mixed. However, in the case of a host adapter using multiple submission queues, when the target device is under a constant load of NCQ commands, there are no guarantees that requeueing the non-NCQ command will be executed later and it may be deferred again repeatedly as other submission queues can constantly issue NCQ commands from different CPUs ahead of the non-NCQ command. This can lead to very long delays for the execution of non-NCQ commands, and even complete starvation for these commands in the worst case scenario. Since the block layer and the SCSI layer do not distinguish between queueable (NCQ) and non queueable (non-NCQ) commands, libata-scsi SAT implementation must ensure forward progress for non-NCQ commands in the presence of NCQ command traffic. This is similar to what SAS HBAs with a hardware/firmware based SAT implementation do. Implement such forward progress guarantee by limiting requeueing of non-NCQ commands from ata_scsi_qc_issue(): when a non-NCQ command is received and NCQ commands are in-flight, do not force a requeue of the non-NCQ command by returning SCSI_MLQUEUE_XXX_BUSY and instead return 0 to indicate that the command was accepted but hold on to the qc using the new deferred_qc field of struct ata_port. This deferred qc will be issued using the work item deferred_qc_work running the function ata_scsi_deferred_qc_work() once all in-flight commands complete, which is checked with the port qc_defer() callback return value indicating that no further delay is necessary. This check is done using the helper function ata_scsi_schedule_deferred_qc() which is called from ata_scsi_qc_complete(). This thus excludes this mechanism from all internal non-NCQ commands issued by ATA EH. When a port deferred_qc is non NULL, that is, the port has a command waiting for the device queue to drain, the issuing of all incoming commands (both NCQ and non-NCQ) is deferred using the regular busy mechanism. This simplifies the code and also avoids potential denial of service problems if a user issues too many non-NCQ commands. Finally, whenever ata EH is scheduled, regardless of the reason, a deferred qc is always requeued so that it can be retried once EH completes. This is done by calling the function ata_scsi_requeue_deferred_qc() from ata_eh_set_pending(). This avoids the need for any special processing for the deferred qc in case of NCQ error, link or device reset, or device timeout.
Title		ata: libata-scsi: avoid Non-NCQ command starvation
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0ea84089dbf62a92dc7889c79e6b18fc89260808 https://git.kernel.org/stable/c/5d61a38a60e62750526d94663b69b7ac5c7f07a5 https://git.kernel.org/stable/c/888cd7e40adb2ef4af1b4d3b6e2e83ad409ae8c2 https://git.kernel.org/stable/c/ce22aaed011206fed9cbd8c9c2d44718607f31ee

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:15:31.080Z

Updated: 2026-05-27T12:15:31.080Z

Reserved: 2026-05-13T15:03:33.079Z

Link: CVE-2026-45855

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:16:57.543

Modified: 2026-05-27T14:48:31.480

Link: CVE-2026-45855

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T16:15:05Z

Weaknesses

CWE-400

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object