Impact
The Linux kernel’s handling of the shadow stack during a sigreturn contains a lock‑ordering flaw that can cause a deadlock. When the kernel attempts to read a shadow stack frame and the access faults, the fault handler may recursively acquire the mmap read lock, while another CPU may hold an mmap write lock. This mismatch follows the concurrency race pattern identified as CWE‑667 and results in a kernel deadlock that stalls signal handling, effectively creating a denial of service. The bug does not provide code execution but can halt normal system operation.
Affected Systems
All Linux kernels compiled for x86 with the shadow stack (X86_USER_SHADOW_STACK) enabled on SMP machines are affected. The issue relies on the PER_VMA_LOCK configuration, which is the default for SMP kernels. No specific kernel versions are listed, so any build that contains the described code paths is potentially vulnerable.
Risk and Exploitability
The CVSS score of 5.5 indicates moderate severity, while the EPSS score of <1% shows a very low probability of exploitation. The vulnerability is not listed in CISA KEV. Based on the description, the flaw manifests during normal signal handling, so exploitation likely requires local or privileged code execution that triggers a sigreturn encountering a page fault. The result is a local denial of service through a kernel deadlock rather than remote code execution. The concurrency error follows a classic race scenario (CWE‑667).
OpenCVE Enrichment
Ubuntu USN