CVE-2026-46008 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

mm/damon/core: fix damos_walk() vs kdamond_fn() exit race

When kdamond_fn() main loop is finished, the function cancels remaining
damos_walk() request and unset the damon_ctx->kdamond so that API callers
and API functions themselves can show the context is terminated.
damos_walk() adds the caller's request to the queue first. After that, it
shows if the kdamond of the damon_ctx is still running (damon_ctx->kdamond
is set). Only if the kdamond is running, damos_walk() starts waiting for
the kdamond's handling of the newly added request.

The damos_walk() requests registration and damon_ctx->kdamond unset are
protected by different mutexes, though. Hence, damos_walk() could race
with damon_ctx->kdamond unset, and result in deadlocks.

For example, let's suppose kdamond successfully finished the damow_walk()
request cancelling. Right after that, damos_walk() is called for the
context. It registers the new request, and shows the context is still
running, because damon_ctx->kdamond unset is not yet done. Hence the
damos_walk() caller starts waiting for the handling of the request.
However, the kdamond is already on the termination steps, so it never
handles the new request. As a result, the damos_walk() caller thread
infinitely waits.

Fix this by introducing another damon_ctx field, namely
walk_control_obsolete. It is protected by the
damon_ctx->walk_control_lock, which protects damos_walk() request
registration. Initialize (unset) it in kdamond_fn() before letting
damon_start() returns and set it just before the cancelling of the
remaining damos_walk() request is executed. damos_walk() reads the
obsolete field under the lock and avoids adding a new request.

After this change, only requests that are guaranteed to be handled or
cancelled are registered. Hence the after-registration DAMON context
termination check is no longer needed. Remove it together.

The issue is found by sashiko [1].

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A race condition between the DAMON background thread and the request‑registration function can cause the caller to wait indefinitely for a request that is never processed. This results in a deadlock that effectively stalls the kernel thread, leading to a denial of service. The flaw is a classic synchronization issue where two fields are protected by different mutexes, allowing a window where a request is registered while the background worker has already begun termination.

Affected Systems

The issue affects all Linux kernel builds that include the DAMON subsystem, regardless of distribution. No specific version range is listed in the advisory, so any kernel that implements the referenced logic without the commit is vulnerable.

Risk and Exploitability

The exploitability is limited to code that runs with kernel privileges, such as root users or compromised kernel modules. While the kernel patch introduces a deadlock rather than arbitrary code execution, the impact of a stuck kernel thread can be significant. EPSS is not available and the vulnerability is not listed in CISA KEV, indicating no publicly known widespread exploitation. The CVSS score is not stated, but the confidence in a local denial of service scenario suggests a moderate to high severity within affected environments.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61`	affected	< 0ba956a239ba6e3fae8555d3660e22e675be63b5
`bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61`	affected	< 33c3f6c2b48cd84b441dba1ee3e62290e53930f4

Linux

affected

Version	Status	Constraints
`6.14`	affected	—
`0`	unaffected	< 6.14
`7.0.4`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that incorporates the commit fixing the DAMON exit race.
Reboot the system after upgrading to ensure the updated kernel is active.
If an immediate kernel upgrade is infeasible, disable the DAMON feature in the kernel configuration to prevent use of the vulnerable code path.

Generated by OpenCVE AI on May 27, 2026 at 17:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0ba956a239ba6e3fae8555d3660e22e675be63b5
https://git.kernel.org/stable/c/33c3f6c2b48cd84b441dba1ee3e62290e53930f4

History

Wed, 27 May 2026 17:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: fix damos_walk() vs kdamond_fn() exit race When kdamond_fn() main loop is finished, the function cancels remaining damos_walk() request and unset the damon_ctx->kdamond so that API callers and API functions themselves can show the context is terminated. damos_walk() adds the caller's request to the queue first. After that, it shows if the kdamond of the damon_ctx is still running (damon_ctx->kdamond is set). Only if the kdamond is running, damos_walk() starts waiting for the kdamond's handling of the newly added request. The damos_walk() requests registration and damon_ctx->kdamond unset are protected by different mutexes, though. Hence, damos_walk() could race with damon_ctx->kdamond unset, and result in deadlocks. For example, let's suppose kdamond successfully finished the damow_walk() request cancelling. Right after that, damos_walk() is called for the context. It registers the new request, and shows the context is still running, because damon_ctx->kdamond unset is not yet done. Hence the damos_walk() caller starts waiting for the handling of the request. However, the kdamond is already on the termination steps, so it never handles the new request. As a result, the damos_walk() caller thread infinitely waits. Fix this by introducing another damon_ctx field, namely walk_control_obsolete. It is protected by the damon_ctx->walk_control_lock, which protects damos_walk() request registration. Initialize (unset) it in kdamond_fn() before letting damon_start() returns and set it just before the cancelling of the remaining damos_walk() request is executed. damos_walk() reads the obsolete field under the lock and avoids adding a new request. After this change, only requests that are guaranteed to be handled or cancelled are registered. Hence the after-registration DAMON context termination check is no longer needed. Remove it together. The issue is found by sashiko [1].
Title		mm/damon/core: fix damos_walk() vs kdamond_fn() exit race
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0ba956a239ba6e3fae8555d3660e22e675be63b5 https://git.kernel.org/stable/c/33c3f6c2b48cd84b441dba1ee3e62290e53930f4

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:56:08.315Z

Updated: 2026-05-27T12:56:08.315Z

Reserved: 2026-05-13T15:03:33.092Z

Link: CVE-2026-46008

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:18.600

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46008

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T17:00:17Z

Weaknesses

CWE-362

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object