CVE-2026-46051 - Vulnerability Details

- md/raid5: fix soft lockup in retry_aligned_read()

Description

In the Linux kernel, the following vulnerability has been resolved:

md/raid5: fix soft lockup in retry_aligned_read()

When retry_aligned_read() encounters an overlapped stripe, it releases
the stripe via raid5_release_stripe() which puts it on the lockless
released_stripes llist. In the next raid5d loop iteration,
release_stripe_list() drains the stripe onto handle_list (since
STRIPE_HANDLE is set by the original IO), but retry_aligned_read()
runs before handle_active_stripes() and removes the stripe from
handle_list via find_get_stripe() -> list_del_init(). This prevents
handle_stripe() from ever processing the stripe to resolve the
overlap, causing an infinite loop and soft lockup.

Fix this by using __release_stripe() with temp_inactive_list instead
of raid5_release_stripe() in the failure path, so the stripe does not
go through the released_stripes llist. This allows raid5d to break out
of its loop, and the overlap will be resolved when the stripe is
eventually processed by handle_stripe().

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel’s RAID5 driver, the function retry_aligned_read() contains a logic error that allows a stripe to be prematurely removed from the active list, causing an infinite processing loop that results in a soft lockup. This effect can temporarily halt a CPU, but it does not compromise data integrity or grant privilege escalation. The likely attack vector involves local interaction with a RAID5 array: by provoking a read request on an overlapped stripe, an attacker could trigger the loop and induce the lockup.

Affected Systems

It is inferred that all systems that run a Linux kernel containing the unpatched retry_aligned_read() logic are potentially affected, regardless of distribution or kernel release track, because the commit date is not tied to a specific kernel version range. Therefore any kernel build that includes the original code is vulnerable.

Risk and Exploitability

The CVSS score is not provided and EPSS information is not available. The vulnerability is not listed in CISA’s KEV catalogue. Exploitation requires local access to a system configured to use RAID5; an attacker could trigger the infinite loop by initiating a read on an overlapped stripe, thereby causing a persistent soft lockup. Given the lack of a remote trigger and the need for continuous I/O activity, the exploitation risk is moderate but could be high for critical services running on the affected node.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`773ca82fa1ee58dd1bf88b6a5ca385ec83a2cac6`	affected	< 09880592f5a9dc73377d6eb5ac123537b5f8df49
`773ca82fa1ee58dd1bf88b6a5ca385ec83a2cac6`	affected	< 80fc6ca2cbde018d52e13f305edcd643911bd94b
`773ca82fa1ee58dd1bf88b6a5ca385ec83a2cac6`	affected	< 1985cb3247e87ff6b8ca4bc5f9626f4f51024507
`773ca82fa1ee58dd1bf88b6a5ca385ec83a2cac6`	affected	< 883cc33b7af1c448663287f069ef9dfea001e90f
`773ca82fa1ee58dd1bf88b6a5ca385ec83a2cac6`	affected	< 7f9f7c697474268d9ef9479df3ddfe7cdcfbbffc

Linux

affected

Version	Status	Constraints
`3.12`	affected	—
`0`	unaffected	< 3.12
`6.6.140`	unaffected	≤ 6.6.*
`6.12.86`	unaffected	≤ 6.12.*
`6.18.27`	unaffected	≤ 6.18.*
`7.0.4`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[773ca82fa1ee58dd1bf88b6a5ca385ec83a2cac6,09880592f5a9dc73377d6eb5ac123537b5f8df49)`	affected	code_commit	—
`[773ca82fa1ee58dd1bf88b6a5ca385ec83a2cac6,80fc6ca2cbde018d52e13f305edcd643911bd94b)`	affected	code_commit	—
`[773ca82fa1ee58dd1bf88b6a5ca385ec83a2cac6,1985cb3247e87ff6b8ca4bc5f9626f4f51024507)`	affected	code_commit	—
`[773ca82fa1ee58dd1bf88b6a5ca385ec83a2cac6,883cc33b7af1c448663287f069ef9dfea001e90f)`	affected	code_commit	—
`[773ca82fa1ee58dd1bf88b6a5ca385ec83a2cac6,7f9f7c697474268d9ef9479df3ddfe7cdcfbbffc)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`3.12`	affected	generic	—
`[0,3.12)`	unaffected	generic	—
`[6.6.140,6.7.0)`	unaffected	semver	—
`[6.12.86,6.13.0)`	unaffected	semver	—
`[6.18.27,6.19.0)`	unaffected	semver	—
`[7.0.4,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the kernel to a version that includes commit 09880592f5a9dc73377d6eb5ac123537b5f8df49, which implements the fix in retry_aligned_read()
If an immediate kernel update is not possible, isolate the RAID5 arrays and restrict direct I/O access to trusted administrators
Monitor dmesg and kernel logs for persistent "soft lockup" messages and schedule a kernel reboot if lockups recur

Generated by OpenCVE AI on May 27, 2026 at 21:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/09880592f5a9dc73377d6eb5ac123537b5f8df49
https://git.kernel.org/stable/c/1985cb3247e87ff6b8ca4bc5f9626f4f51024507
https://git.kernel.org/stable/c/7f9f7c697474268d9ef9479df3ddfe7cdcfbbffc
https://git.kernel.org/stable/c/80fc6ca2cbde018d52e13f305edcd643911bd94b
https://git.kernel.org/stable/c/883cc33b7af1c448663287f069ef9dfea001e90f

History

Wed, 27 May 2026 21:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-666

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: md/raid5: fix soft lockup in retry_aligned_read() When retry_aligned_read() encounters an overlapped stripe, it releases the stripe via raid5_release_stripe() which puts it on the lockless released_stripes llist. In the next raid5d loop iteration, release_stripe_list() drains the stripe onto handle_list (since STRIPE_HANDLE is set by the original IO), but retry_aligned_read() runs before handle_active_stripes() and removes the stripe from handle_list via find_get_stripe() -> list_del_init(). This prevents handle_stripe() from ever processing the stripe to resolve the overlap, causing an infinite loop and soft lockup. Fix this by using __release_stripe() with temp_inactive_list instead of raid5_release_stripe() in the failure path, so the stripe does not go through the released_stripes llist. This allows raid5d to break out of its loop, and the overlap will be resolved when the stripe is eventually processed by handle_stripe().
Title		md/raid5: fix soft lockup in retry_aligned_read()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/09880592f5a9dc73377d6eb5ac123537b5f8df49 https://git.kernel.org/stable/c/1985cb3247e87ff6b8ca4bc5f9626f4f51024507 https://git.kernel.org/stable/c/7f9f7c697474268d9ef9479df3ddfe7cdcfbbffc https://git.kernel.org/stable/c/80fc6ca2cbde018d52e13f305edcd643911bd94b https://git.kernel.org/stable/c/883cc33b7af1c448663287f069ef9dfea001e90f

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:57:09.274Z

Updated: 2026-05-27T12:57:09.274Z

Reserved: 2026-05-13T15:03:33.094Z

Link: CVE-2026-46051

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:24.693

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46051

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T23:30:45Z

Weaknesses

CWE-666

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object