Description
In the Linux kernel, the following vulnerability has been resolved:

exit: prevent preemption of oopsing TASK_DEAD task

When an already-exiting task oopses, make_task_dead() currently calls
do_task_dead() with preemption enabled. That is forbidden:
do_task_dead() calls __schedule(), which has a comment saying "WARNING:
must be called with preemption disabled!".

If an oopsing task is preempted in do_task_dead(), between becoming
TASK_DEAD and entering the scheduler explicitly, bad things happen:
finish_task_switch() assumes that once the scheduler has switched away
from a TASK_DEAD task, the task can never run again and its stack is no
longer needed; but that assumption apparently doesn't hold if the dead
task was preempted (the SM_PREEMPT case).

This means that the scheduler ends up repeatedly dropping references on
the dead task's stack, which can lead to use-after-free or double-free
of the entire task stack; in other words, two tasks can end up running
on the same stack, resulting in various kinds of memory corruption.

(This does not just affect "recursively oopsing" tasks; it is enough to
oops once during task exit, for example in a file_operations::release
handler)
Published: 2026-05-28
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

When an exiting task in the Linux kernel encounters an oops, the function that marks the task dead, do_task_dead, may be executed with preemption still enabled. This violates a precondition that requires preemption to be disabled, causing the scheduler to incorrectly drop references on the task’s stack. Consequently, the stack of a terminated task can be used by another process, leading to use‑after‑free or double‑free conditions that corrupt kernel memory and can cause a system crash. The flaw is triggered by an oops during task exit, such as in a file_operations::release handler, and does not require recursive oops situations. This issue maps to CWE‑787, highlighting a use‑after‑free weakness.

Affected Systems

All Linux kernel versions that contain the unpatched do_task_dead implementation are vulnerable. The exact range of affected releases is not specified, but any kernel prior to the commit that introduced the preemption guard is susceptible.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity. The EPSS score of <1% suggests a very low but nonzero probability of exploitation, and the issue is not listed in the CISA KEV catalog. The flaw appears, based on the description, to be exploitable only in a local context, requiring an attacker who can trigger an oops in an exiting task. Because the memory corruption affects kernel memory, it could potentially lead to a system crash or severe instability. The risk remains significant given severity, but further assessment is required to determine the exact impact in various environments.

Generated by OpenCVE AI on June 10, 2026 at 22:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Linux kernel version that contains the fix for do_task_dead preemption, which is included in the commit identified by 640b4c00fb0e2920327435f6176cbefc3c546165
  • Apply the corresponding patch to your kernel sources and rebuild the kernel if a newer distribution release is not available
  • Boot the updated kernel so that the patched code is in use

Generated by OpenCVE AI on June 10, 2026 at 22:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
References

Wed, 10 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
CPEs cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1341
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: exit: prevent preemption of oopsing TASK_DEAD task When an already-exiting task oopses, make_task_dead() currently calls do_task_dead() with preemption enabled. That is forbidden: do_task_dead() calls __schedule(), which has a comment saying "WARNING: must be called with preemption disabled!". If an oopsing task is preempted in do_task_dead(), between becoming TASK_DEAD and entering the scheduler explicitly, bad things happen: finish_task_switch() assumes that once the scheduler has switched away from a TASK_DEAD task, the task can never run again and its stack is no longer needed; but that assumption apparently doesn't hold if the dead task was preempted (the SM_PREEMPT case). This means that the scheduler ends up repeatedly dropping references on the dead task's stack, which can lead to use-after-free or double-free of the entire task stack; in other words, two tasks can end up running on the same stack, resulting in various kinds of memory corruption. (This does not just affect "recursively oopsing" tasks; it is enough to oops once during task exit, for example in a file_operations::release handler)
Title exit: prevent preemption of oopsing TASK_DEAD task
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-17T06:15:31.395Z

Reserved: 2026-05-13T15:03:33.103Z

Link: CVE-2026-46173

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T10:16:32.923

Modified: 2026-06-10T21:11:30.630

Link: CVE-2026-46173

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46173 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T22:45:27Z

Weaknesses
  • CWE-1341

    Multiple Releases of Same Resource or Handle

  • CWE-787

    Out-of-bounds Write