CVE-2026-45953 - Vulnerability Details

- md/raid5: fix IO hang with degraded array with llbitmap

Description

In the Linux kernel, the following vulnerability has been resolved:

md/raid5: fix IO hang with degraded array with llbitmap

When llbitmap bit state is still unwritten, any new write should force
rcw, as bitmap_ops->blocks_synced() is checked in handle_stripe_dirtying().
However, later the same check is missing in need_this_block(), causing
stripe to deadloop during handling because handle_stripe() will decide
to go to handle_stripe_fill(), meanwhile need_this_block() always return
0 and nothing is handled.

Published: 2026-05-27

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The defect resides in the Linux kernel’s RAID5 driver where a missing bitmap synchronization check in the need_this_block() routine creates an uncontrolled loop. When a degraded array uses a logical llbitmap that is still unwritten, write operations force a flush that relies on the bitmap. The missing guard allows handle_stripe() to repeatedly call handle_stripe_fill() without ever advancing, triggering a self‑terminating loop that consumes kernel LRU resources and finally stalls all I/O for the device, effectively denying service.

Affected Systems

This issue affects any Linux kernel build that includes RAID5 with llbitmap enabled and has not incorporated the upstream fix. The publicly available data does not list specific kernel release versions, so all affected deployments should audit their current kernel state for the missing bitmap guard.

Risk and Exploitability

The CVSS score of 5.5 labels it a moderate threat, while an EPSS of <1% indicates a very low exploitation probability. The vulnerability is not listed in the CISA KEV catalog. An attacker must be able to produce write traffic to a degraded RAID5 array—a capability generally limited to privileged or local users. By triggering the loop, the attacker can force the array into an infinite retry cycle, rendering the storage subsystem unusable until a reboot or repair is performed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`5ab829f1971dc99f2aac10846c378e67fc875abc`	affected	< 870b9f15867b0e70f3459ef3974b043e8b229690
`5ab829f1971dc99f2aac10846c378e67fc875abc`	affected	< 28ef299e7a5b81817f8ca8297c2ddff28f5da5e8
`5ab829f1971dc99f2aac10846c378e67fc875abc`	affected	< cd1635d844d26471c56c0a432abdee12fc9ad735

Linux

affected

Version	Status	Constraints
`6.18`	affected	—
`0`	unaffected	< 6.18
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[5ab829f1971dc99f2aac10846c378e67fc875abc,870b9f15867b0e70f3459ef3974b043e8b229690)`	affected	code_commit	—
`[5ab829f1971dc99f2aac10846c378e67fc875abc,28ef299e7a5b81817f8ca8297c2ddff28f5da5e8)`	affected	code_commit	—
`[5ab829f1971dc99f2aac10846c378e67fc875abc,cd1635d844d26471c56c0a432abdee12fc9ad735)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.18`	affected	generic	—
`[0,6.18)`	unaffected	semver	—
`[6.18.14,6.19.0)`	unaffected	semver	—
`[6.19.4,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel version that includes the corrected bitmap check to eliminate the infinite loop risk.
If a kernel upgrade cannot be performed immediately, temporarily remove write permissions from the affected RAID5 array or stop the md RAID service to prevent the loop from being entered, thereby addressing the CWE‑835 termination flaw.
After installing the patch, reboot the system to ensure the updated kernel and md driver are active and the loop condition can no longer be triggered.

Generated by OpenCVE AI on June 16, 2026 at 21:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00121.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/28ef299e7a5b81817f8ca8297c2ddff28f5da5e8
https://git.kernel.org/stable/c/870b9f15867b0e70f3459ef3974b043e8b229690
https://git.kernel.org/stable/c/cd1635d844d26471c56c0a432abdee12fc9ad735
https://lore.kernel.org/linux-cve-announce/2026052732-CVE-2026-45953-7e84@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-45953
https://www.cve.org/CVERecord?id=CVE-2026-45953

History

Tue, 16 Jun 2026 06:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo

Thu, 28 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-674

Thu, 28 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-835
References		https://lore.kernel.org/linux-cve-announce/2026052732-CVE-2026-45953-7e84@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-45953 https://www.cve.org/CVERecord?id=CVE-2026-45953
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Wed, 27 May 2026 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-674

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: md/raid5: fix IO hang with degraded array with llbitmap When llbitmap bit state is still unwritten, any new write should force rcw, as bitmap_ops->blocks_synced() is checked in handle_stripe_dirtying(). However, later the same check is missing in need_this_block(), causing stripe to deadloop during handling because handle_stripe() will decide to go to handle_stripe_fill(), meanwhile need_this_block() always return 0 and nothing is handled.
Title		md/raid5: fix IO hang with degraded array with llbitmap
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/28ef299e7a5b81817f8ca8297c2ddff28f5da5e8 https://git.kernel.org/stable/c/870b9f15867b0e70f3459ef3974b043e8b229690 https://git.kernel.org/stable/c/cd1635d844d26471c56c0a432abdee12fc9ad735

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:18:09.203Z

Updated: 2026-05-27T12:18:09.203Z

Reserved: 2026-05-13T15:03:33.088Z

Link: CVE-2026-45953

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-27T14:17:11.813

Modified: 2026-06-16T02:34:19.970

Link: CVE-2026-45953

Redhat

Severity : Low

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45953 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-16T21:30:16Z

Weaknesses

CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')
NVD-CWE-noinfo

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object