Description
In the Linux kernel, the following vulnerability has been resolved:

md/raid5: fix soft lockup in retry_aligned_read()

When retry_aligned_read() encounters an overlapped stripe, it releases
the stripe via raid5_release_stripe() which puts it on the lockless
released_stripes llist. In the next raid5d loop iteration,
release_stripe_list() drains the stripe onto handle_list (since
STRIPE_HANDLE is set by the original IO), but retry_aligned_read()
runs before handle_active_stripes() and removes the stripe from
handle_list via find_get_stripe() -> list_del_init(). This prevents
handle_stripe() from ever processing the stripe to resolve the
overlap, causing an infinite loop and soft lockup.

Fix this by using __release_stripe() with temp_inactive_list instead
of raid5_release_stripe() in the failure path, so the stripe does not
go through the released_stripes llist. This allows raid5d to break out
of its loop, and the overlap will be resolved when the stripe is
eventually processed by handle_stripe().
Published: 2026-05-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel’s RAID5 driver, the function retry_aligned_read() contains a logic error that allows a stripe to be prematurely removed from the active list, causing an infinite processing loop that results in a soft lockup. This effect can temporarily halt a CPU, but it does not compromise data integrity or grant privilege escalation. The likely attack vector involves local interaction with a RAID5 array: by provoking a read request on an overlapped stripe, an attacker could trigger the loop and induce the lockup.

Affected Systems

It is inferred that all systems that run a Linux kernel containing the unpatched retry_aligned_read() logic are potentially affected, regardless of distribution or kernel release track, because the commit date is not tied to a specific kernel version range. Therefore any kernel build that includes the original code is vulnerable.

Risk and Exploitability

The CVSS score is 5.5 and EPSS information is not available. The vulnerability is not listed in CISA’s KEV catalogue. Exploitation requires local access to a system configured to use RAID5; an attacker could trigger the infinite loop by initiating a read on an overlapped stripe, thereby causing a persistent soft lockup. Given the lack of a remote trigger and the need for continuous I/O activity, the exploitation risk is moderate but could be high for critical services running on the affected node.

Generated by OpenCVE AI on May 28, 2026 at 02:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that includes commit 09880592f5a9dc73377d6eb5ac123537b5f8df49, which implements the fix in retry_aligned_read()
  • If an immediate kernel update is not possible, isolate the RAID5 arrays and restrict direct I/O access to trusted administrators
  • Monitor dmesg and kernel logs for persistent "soft lockup" messages and schedule a kernel reboot if lockups recur

Generated by OpenCVE AI on May 28, 2026 at 02:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-667

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-835
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 27 May 2026 21:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-666

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: md/raid5: fix soft lockup in retry_aligned_read() When retry_aligned_read() encounters an overlapped stripe, it releases the stripe via raid5_release_stripe() which puts it on the lockless released_stripes llist. In the next raid5d loop iteration, release_stripe_list() drains the stripe onto handle_list (since STRIPE_HANDLE is set by the original IO), but retry_aligned_read() runs before handle_active_stripes() and removes the stripe from handle_list via find_get_stripe() -> list_del_init(). This prevents handle_stripe() from ever processing the stripe to resolve the overlap, causing an infinite loop and soft lockup. Fix this by using __release_stripe() with temp_inactive_list instead of raid5_release_stripe() in the failure path, so the stripe does not go through the released_stripes llist. This allows raid5d to break out of its loop, and the overlap will be resolved when the stripe is eventually processed by handle_stripe().
Title md/raid5: fix soft lockup in retry_aligned_read()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:50:46.976Z

Reserved: 2026-05-13T15:03:33.094Z

Link: CVE-2026-46051

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T14:17:24.693

Modified: 2026-06-16T15:02:51.903

Link: CVE-2026-46051

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46051 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T02:15:04Z

Weaknesses
  • CWE-666

    Operation on Resource in Wrong Phase of Lifetime

  • CWE-667

    Improper Locking

  • CWE-835

    Loop with Unreachable Exit Condition ('Infinite Loop')