CVE-2026-45957 - Vulnerability Details

- rcu: Fix rcu_read_unlock() deadloop due to softirq

Description

In the Linux kernel, the following vulnerability has been resolved:

rcu: Fix rcu_read_unlock() deadloop due to softirq

Commit 5f5fa7ea89dc ("rcu: Don't use negative nesting depth in
__rcu_read_unlock()") removes the recursion-protection code from
__rcu_read_unlock(). Therefore, we could invoke the deadloop in
raise_softirq_irqoff() with ftrace enabled as follows:

WARNING: CPU: 0 PID: 0 at kernel/trace/trace.c:3021 __ftrace_trace_stack.constprop.0+0x172/0x180
Modules linked in: my_irq_work(O)
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G O 6.18.0-rc7-dirty #23 PREEMPT(full)
Tainted: [O]=OOT_MODULE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:__ftrace_trace_stack.constprop.0+0x172/0x180
RSP: 0018:ffffc900000034a8 EFLAGS: 00010002
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000000000
RDX: 0000000000000003 RSI: ffffffff826d7b87 RDI: ffffffff826e9329
RBP: 0000000000090009 R08: 0000000000000005 R09: ffffffff82afbc4c
R10: 0000000000000008 R11: 0000000000011d7a R12: 0000000000000000
R13: ffff888003874100 R14: 0000000000000003 R15: ffff8880038c1054
FS: 0000000000000000(0000) GS:ffff8880fa8ea000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055b31fa7f540 CR3: 00000000078f4005 CR4: 0000000000770ef0
PKRU: 55555554
Call Trace:
<IRQ>
trace_buffer_unlock_commit_regs+0x6d/0x220
trace_event_buffer_commit+0x5c/0x260
trace_event_raw_event_softirq+0x47/0x80
raise_softirq_irqoff+0x6e/0xa0
rcu_read_unlock_special+0xb1/0x160
unwind_next_frame+0x203/0x9b0
__unwind_start+0x15d/0x1c0
arch_stack_walk+0x62/0xf0
stack_trace_save+0x48/0x70
__ftrace_trace_stack.constprop.0+0x144/0x180
trace_buffer_unlock_commit_regs+0x6d/0x220
trace_event_buffer_commit+0x5c/0x260
trace_event_raw_event_softirq+0x47/0x80
raise_softirq_irqoff+0x6e/0xa0
rcu_read_unlock_special+0xb1/0x160
unwind_next_frame+0x203/0x9b0
__unwind_start+0x15d/0x1c0
arch_stack_walk+0x62/0xf0
stack_trace_save+0x48/0x70
__ftrace_trace_stack.constprop.0+0x144/0x180
trace_buffer_unlock_commit_regs+0x6d/0x220
trace_event_buffer_commit+0x5c/0x260
trace_event_raw_event_softirq+0x47/0x80
raise_softirq_irqoff+0x6e/0xa0
rcu_read_unlock_special+0xb1/0x160
unwind_next_frame+0x203/0x9b0
__unwind_start+0x15d/0x1c0
arch_stack_walk+0x62/0xf0
stack_trace_save+0x48/0x70
__ftrace_trace_stack.constprop.0+0x144/0x180
trace_buffer_unlock_commit_regs+0x6d/0x220
trace_event_buffer_commit+0x5c/0x260
trace_event_raw_event_softirq+0x47/0x80
raise_softirq_irqoff+0x6e/0xa0
rcu_read_unlock_special+0xb1/0x160
__is_insn_slot_addr+0x54/0x70
kernel_text_address+0x48/0xc0
__kernel_text_address+0xd/0x40
unwind_get_return_address+0x1e/0x40
arch_stack_walk+0x9c/0xf0
stack_trace_save+0x48/0x70
__ftrace_trace_stack.constprop.0+0x144/0x180
trace_buffer_unlock_commit_regs+0x6d/0x220
trace_event_buffer_commit+0x5c/0x260
trace_event_raw_event_softirq+0x47/0x80
__raise_softirq_irqoff+0x61/0x80
__flush_smp_call_function_queue+0x115/0x420
__sysvec_call_function_single+0x17/0xb0
sysvec_call_function_single+0x8c/0xc0
</IRQ>

Commit b41642c87716 ("rcu: Fix rcu_read_unlock() deadloop due to IRQ work")
fixed the infinite loop in rcu_read_unlock_special() for IRQ work by
setting a flag before calling irq_work_queue_on(). We fix this issue by
setting the same flag before calling raise_softirq_irqoff() and rename the
flag to defer_qs_pending for more common.

Published: 2026-05-27

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel contains an infinite loop in the rcu_read_unlock() routine that is triggered when a softirq is raised while ftrace is enabled. The removal of recursion‑protection code in __rcu_read_unlock() makes it possible for the loop to be entered during normal kernel operation. When the loop executes, the CPU cycles are consumed indefinitely, leading to a kernel freeze that renders the system unresponsive.

Affected Systems

All Linux kernel builds that include the buggy __rcu_read_unlock() logic before the incorporation of commits 5f5fa7ea89dc and b41642c87716. This includes every distribution and custom kernel that has not applied these patches, because the flaw resides in core kernel code and is not limited to any optional module or configuration.

Risk and Exploitability

No official CVSS or EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires local kernel privilege or the ability to trigger a softirq with ftrace enabled. As a result, the risk is moderate: systems that cannot run code with kernel privileges are unlikely to be affected, while those that can execute kernel‑level code may force a denial of service by inducing the deadloop.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`5f5fa7ea89dc82d34ed458f4d7a8634e8e9eefce`	affected	< 979c708e6c9d7fc461daef2dad8b45f22e23464c
`5f5fa7ea89dc82d34ed458f4d7a8634e8e9eefce`	affected	< 1f16679a5aa60238466ce339c35f5e82ece60337
`5f5fa7ea89dc82d34ed458f4d7a8634e8e9eefce`	affected	< 4a4a6e12c9c829be3f74b7206fa8640fc4e1c566
`5f5fa7ea89dc82d34ed458f4d7a8634e8e9eefce`	affected	< c2932e16d8c354404b17123e64daa8e33191e145
`5f5fa7ea89dc82d34ed458f4d7a8634e8e9eefce`	affected	< d41e37f26b3157b3f1d10223863519a943aa239b

Linux

affected

Version	Status	Constraints
`5.8`	affected	—
`0`	unaffected	< 5.8
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[5f5fa7ea89dc82d34ed458f4d7a8634e8e9eefce,979c708e6c9d7fc461daef2dad8b45f22e23464c)`	affected	code_commit	—
`[5f5fa7ea89dc82d34ed458f4d7a8634e8e9eefce,1f16679a5aa60238466ce339c35f5e82ece60337)`	affected	code_commit	—
`[5f5fa7ea89dc82d34ed458f4d7a8634e8e9eefce,4a4a6e12c9c829be3f74b7206fa8640fc4e1c566)`	affected	code_commit	—
`[5f5fa7ea89dc82d34ed458f4d7a8634e8e9eefce,c2932e16d8c354404b17123e64daa8e33191e145)`	affected	code_commit	—
`[5f5fa7ea89dc82d34ed458f4d7a8634e8e9eefce,d41e37f26b3157b3f1d10223863519a943aa239b)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.8`	affected	generic	—
`[0,5.8)`	unaffected	semver	—
`[6.6.128,6.7.0)`	unaffected	semver	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.14,6.19.0)`	unaffected	semver	—
`[6.19.4,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the kernel to a version that includes commits 5f5fa7ea89dc and b41642c87716, or apply the upstream patch set that sets the defer_qs_pending flag before calling raise_softirq_irqoff.
Disable ftrace globally or ensure it is not active during critical operations to prevent the deadloop condition from being reachable while handling softirqs.
If an immediate update is not possible, apply a local patch that manually sets the defer_qs_pending flag before invoking raise_softirq_irqoff or replace the buggy __rcu_read_unlock() code with the corrected upstream logic.

Generated by OpenCVE AI on May 28, 2026 at 05:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1f16679a5aa60238466ce339c35f5e82ece60337
https://git.kernel.org/stable/c/4a4a6e12c9c829be3f74b7206fa8640fc4e1c566
https://git.kernel.org/stable/c/979c708e6c9d7fc461daef2dad8b45f22e23464c
https://git.kernel.org/stable/c/c2932e16d8c354404b17123e64daa8e33191e145
https://git.kernel.org/stable/c/d41e37f26b3157b3f1d10223863519a943aa239b
https://lore.kernel.org/linux-cve-announce/2026052733-CVE-2026-45957-eb03@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-45957
https://www.cve.org/CVERecord?id=CVE-2026-45957

History

Thu, 28 May 2026 03:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-770 CWE-832

Thu, 28 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-835
References		https://lore.kernel.org/linux-cve-announce/2026052733-CVE-2026-45957-eb03@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-45957 https://www.cve.org/CVERecord?id=CVE-2026-45957
Metrics	threat_severity `None`	threat_severity `Moderate`

Wed, 27 May 2026 21:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-770 CWE-832

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: rcu: Fix rcu_read_unlock() deadloop due to softirq Commit 5f5fa7ea89dc ("rcu: Don't use negative nesting depth in __rcu_read_unlock()") removes the recursion-protection code from __rcu_read_unlock(). Therefore, we could invoke the deadloop in raise_softirq_irqoff() with ftrace enabled as follows: WARNING: CPU: 0 PID: 0 at kernel/trace/trace.c:3021 __ftrace_trace_stack.constprop.0+0x172/0x180 Modules linked in: my_irq_work(O) CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G O 6.18.0-rc7-dirty #23 PREEMPT(full) Tainted: [O]=OOT_MODULE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:__ftrace_trace_stack.constprop.0+0x172/0x180 RSP: 0018:ffffc900000034a8 EFLAGS: 00010002 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000000000 RDX: 0000000000000003 RSI: ffffffff826d7b87 RDI: ffffffff826e9329 RBP: 0000000000090009 R08: 0000000000000005 R09: ffffffff82afbc4c R10: 0000000000000008 R11: 0000000000011d7a R12: 0000000000000000 R13: ffff888003874100 R14: 0000000000000003 R15: ffff8880038c1054 FS: 0000000000000000(0000) GS:ffff8880fa8ea000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055b31fa7f540 CR3: 00000000078f4005 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <IRQ> trace_buffer_unlock_commit_regs+0x6d/0x220 trace_event_buffer_commit+0x5c/0x260 trace_event_raw_event_softirq+0x47/0x80 raise_softirq_irqoff+0x6e/0xa0 rcu_read_unlock_special+0xb1/0x160 unwind_next_frame+0x203/0x9b0 __unwind_start+0x15d/0x1c0 arch_stack_walk+0x62/0xf0 stack_trace_save+0x48/0x70 __ftrace_trace_stack.constprop.0+0x144/0x180 trace_buffer_unlock_commit_regs+0x6d/0x220 trace_event_buffer_commit+0x5c/0x260 trace_event_raw_event_softirq+0x47/0x80 raise_softirq_irqoff+0x6e/0xa0 rcu_read_unlock_special+0xb1/0x160 unwind_next_frame+0x203/0x9b0 __unwind_start+0x15d/0x1c0 arch_stack_walk+0x62/0xf0 stack_trace_save+0x48/0x70 __ftrace_trace_stack.constprop.0+0x144/0x180 trace_buffer_unlock_commit_regs+0x6d/0x220 trace_event_buffer_commit+0x5c/0x260 trace_event_raw_event_softirq+0x47/0x80 raise_softirq_irqoff+0x6e/0xa0 rcu_read_unlock_special+0xb1/0x160 unwind_next_frame+0x203/0x9b0 __unwind_start+0x15d/0x1c0 arch_stack_walk+0x62/0xf0 stack_trace_save+0x48/0x70 __ftrace_trace_stack.constprop.0+0x144/0x180 trace_buffer_unlock_commit_regs+0x6d/0x220 trace_event_buffer_commit+0x5c/0x260 trace_event_raw_event_softirq+0x47/0x80 raise_softirq_irqoff+0x6e/0xa0 rcu_read_unlock_special+0xb1/0x160 __is_insn_slot_addr+0x54/0x70 kernel_text_address+0x48/0xc0 __kernel_text_address+0xd/0x40 unwind_get_return_address+0x1e/0x40 arch_stack_walk+0x9c/0xf0 stack_trace_save+0x48/0x70 __ftrace_trace_stack.constprop.0+0x144/0x180 trace_buffer_unlock_commit_regs+0x6d/0x220 trace_event_buffer_commit+0x5c/0x260 trace_event_raw_event_softirq+0x47/0x80 __raise_softirq_irqoff+0x61/0x80 __flush_smp_call_function_queue+0x115/0x420 __sysvec_call_function_single+0x17/0xb0 sysvec_call_function_single+0x8c/0xc0 </IRQ> Commit b41642c87716 ("rcu: Fix rcu_read_unlock() deadloop due to IRQ work") fixed the infinite loop in rcu_read_unlock_special() for IRQ work by setting a flag before calling irq_work_queue_on(). We fix this issue by setting the same flag before calling raise_softirq_irqoff() and rename the flag to defer_qs_pending for more common.
Title		rcu: Fix rcu_read_unlock() deadloop due to softirq
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1f16679a5aa60238466ce339c35f5e82ece60337 https://git.kernel.org/stable/c/4a4a6e12c9c829be3f74b7206fa8640fc4e1c566 https://git.kernel.org/stable/c/979c708e6c9d7fc461daef2dad8b45f22e23464c https://git.kernel.org/stable/c/c2932e16d8c354404b17123e64daa8e33191e145 https://git.kernel.org/stable/c/d41e37f26b3157b3f1d10223863519a943aa239b

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:18:13.145Z

Updated: 2026-05-27T12:18:13.145Z

Reserved: 2026-05-13T15:03:33.088Z

Link: CVE-2026-45957

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:12.280

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-45957

Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45957 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-28T05:15:09Z

Weaknesses

CWE-835

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object