Description
In the Linux kernel, the following vulnerability has been resolved:

dm: fix unlocked test for dm_suspended_md

The function dm_blk_report_zones tests if the device is suspended with
the "dm_suspended_md" call. However, this function is called without
holding any locks, so the device may be suspended just after it.

Move the call to dm_suspended_md after dm_get_live_table, so that the
device can't be suspended after the suspended state was tested.
Published: 2026-06-09
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel includes a race condition in the device‑mapper function dm_blk_report_zones. The function calls dm_suspended_md to test whether a device is suspended, but this check occurs without holding the appropriate locks and before the live table is locked. If an attacker suspends the device immediately after the unsynchronized test, subsequent zone reporting may operate on a device whose state has changed, potentially leading to malformed data or block‑device operation failures. The weakness is a classic timing race, classified as CWE‑367, and does not directly trigger a kernel panic or system crash according to the description.

Affected Systems

All Linux kernel versions that contain the unpatched dm_blk_report_zones logic are affected. The fix moves the dm_suspended_md call after dm_get_live_table to introduce proper synchronization. Distribution kernels that ship identical code without the commit are also vulnerable; the common platform enumeration cpe:2.3:o:linux:linux_kernel:* covers all kernel releases.

Risk and Exploitability

The flaw is a local race condition that requires the attacker to trigger a device suspend during a narrow window of unsynchronized execution. It is unlikely to be exploited remotely and would typically require privileged or root access to influence block‑device operations. The CVSS score of 7.8 indicates moderate to high severity, the EPSS score of less than 1% shows a very low likelihood of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is local with a prerequisite of controlling or interacting with the device‑mapper subsystem.

Generated by OpenCVE AI on June 14, 2026 at 07:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest kernel package that includes the dm_suspended_md fix, which adds the necessary lock around the suspend test (CWE‑367).
  • Reboot the system so the updated kernel is loaded and active.
  • If a kernel upgrade cannot be performed immediately, temporarily disable affected device‑mapper targets by issuing "dmsetup suspend <target>" or blocking block operations until the patch is applied.

Generated by OpenCVE AI on June 14, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 14 Jun 2026 05:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 10 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-847

Wed, 10 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Tue, 09 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
CWE-847

Tue, 09 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: dm: fix unlocked test for dm_suspended_md The function dm_blk_report_zones tests if the device is suspended with the "dm_suspended_md" call. However, this function is called without holding any locks, so the device may be suspended just after it. Move the call to dm_suspended_md after dm_get_live_table, so that the device can't be suspended after the suspended state was tested.
Title dm: fix unlocked test for dm_suspended_md
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T04:30:25.673Z

Reserved: 2026-05-13T15:03:33.112Z

Link: CVE-2026-46327

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-09T14:16:42.400

Modified: 2026-06-14T06:16:25.307

Link: CVE-2026-46327

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-09T00:00:00Z

Links: CVE-2026-46327 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-14T07:30:10Z

Weaknesses
  • CWE-367

    Time-of-check Time-of-use (TOCTOU) Race Condition