CVE-2026-52946 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling

A SOFTIRQ-safe to SOFTIRQ-unsafe lock order deadlock can occur in
send_sigio() and send_sigurg() when a process group receives a signal.

When FASYNC is configured for a process group (PIDTYPE_PGID), both
functions use read_lock(&tasklist_lock) to traverse the task list.
However, they are frequently called from softirq context:
- send_sigio() via input_inject_event -> kill_fasync
- send_sigurg() via tcp_check_urg -> sk_send_sigurg (NET_RX_SOFTIRQ)

The deadlock is caused by the rwlock writer fairness mechanism:
1. CPU 0 (process context) holds read_lock(&tasklist_lock) in do_wait().
2. CPU 1 (process context) attempts write_lock(&tasklist_lock) in
fork() or exit() and spins, which blocks all new readers.
3. CPU 0 is interrupted by a softirq (e.g., TCP URG packet reception).
4. The softirq calls send_sigurg() and attempts to acquire
read_lock(&tasklist_lock), deadlocking because CPU 1 is waiting.

Since PID hashing and do_each_pid_task() traversals are already
RCU-protected, the read_lock on tasklist_lock is no longer strictly
required for safe traversal. Fix this by replacing tasklist_lock with
rcu_read_lock(), aligning the process group signaling path with the
single-PID path. This also mitigates a potential remote denial of
service vector via TCP URG packets.

Lockdep splat:
=====================================================
WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
[...]
Chain exists of:
&dev->event_lock --> &f_owner->lock --> tasklist_lock

Possible interrupt unsafe locking scenario:
CPU0 CPU1
---- ----
lock(tasklist_lock);
local_irq_disable();
lock(&dev->event_lock);
lock(&f_owner->lock);
<Interrupt>
lock(&dev->event_lock);

*** DEADLOCK ***

Published: 2026-06-24

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a SOFTIRQ‑unsafe lock order that can cause a deadlock between tasklist_lock and other locks when send_sigio or send_sigurg are invoked from softirq context. A process group with FASYNC enabled can be forced into a self‑inflicted deadlock when an urgent TCP packet or an input event triggers signal delivery. The resulting deadlock stalls kernel progress, effectively bringing the system to a halt and allowing an attacker to cause a denial of service.

Affected Systems

All Linux kernel builds that include the tasklist_lock read_lock in send_sigio or send_sigurg and do not yet apply the patch that replaces it with rcu_read_lock. The affected vendors are the Linux kernel maintainers; no specific distribution version is listed in the supplied data.

Risk and Exploitability

There is no CVSS or EPSS score available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector requires an external user able to send or influence TCP URG packets or trigger fasync input events. If successful, the attacker can induce a kernel‑level deadlock that hangs the entire system, causing a denial of service. The likelihood of exploitation in the wild is currently unknown; the lack of exploitability data suggests it is not widely exploited yet but the potential impact is high for affected hosts.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 54626335ea4174ab2d9a183b511d825f6765e47b
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 897d6a7247739fb1528f98c575df4f2e5de7f994
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 32dbd5ce4be3a3ed7e00f8af18795cc84fc50a33
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< b5fa9e32fb6718f70c986ee14dd5d01b4846f331
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 1bee417678f1135e35b25a37734db46aa94258d2
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 20a93e397abe850c49b6fa0e8cc827b5f634a8f5
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< bfcc8e8d8a495bb34cae9e620adfb75fb13a3954
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 36c1b57b2ecf3c61ac93f5f07bd29b6f21e226ed
`0`	affected	< 5.10.259
`0`	affected	< 5.15.210
`0`	affected	< 6.1.176
`0`	affected	< 6.6.143
`0`	affected	< 6.12.94
`0`	affected	< 6.18.36
`0`	affected	< 7.0.13
`0`	affected	< 7.1.1

Linux

affected

Version	Status	Constraints
`5.10.259`	unaffected	≤ 5.10.*
`5.15.210`	unaffected	≤ 5.15.*
`6.1.176`	unaffected	≤ 6.1.*
`6.6.143`	unaffected	≤ 6.6.*
`6.12.94`	unaffected	≤ 6.12.*
`6.18.36`	unaffected	≤ 6.18.*
`7.0.13`	unaffected	≤ 7.0.*
`7.1.1`	unaffected	≤ 7.1.*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update your distribution’s kernel package to the latest release that incorporates the patch, for example using "apt update && apt install --only-upgrade linux-image-" for Debian/Ubuntu or the equivalent command for your platform.
Reboot the system so that the updated kernel loads.
If an automated update isn’t available, download the source tree, cherry‑pick the relevant commit (e.g., 1bee4176), rebuild the kernel, install the new image, and reboot.

Generated by OpenCVE AI on June 24, 2026 at 19:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1bee417678f1135e35b25a37734db46aa94258d2
https://git.kernel.org/stable/c/20a93e397abe850c49b6fa0e8cc827b5f634a8f5
https://git.kernel.org/stable/c/32dbd5ce4be3a3ed7e00f8af18795cc84fc50a33
https://git.kernel.org/stable/c/36c1b57b2ecf3c61ac93f5f07bd29b6f21e226ed
https://git.kernel.org/stable/c/54626335ea4174ab2d9a183b511d825f6765e47b
https://git.kernel.org/stable/c/897d6a7247739fb1528f98c575df4f2e5de7f994
https://git.kernel.org/stable/c/b5fa9e32fb6718f70c986ee14dd5d01b4846f331
https://git.kernel.org/stable/c/bfcc8e8d8a495bb34cae9e620adfb75fb13a3954

History

Wed, 24 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-662 CWE-665

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling A SOFTIRQ-safe to SOFTIRQ-unsafe lock order deadlock can occur in send_sigio() and send_sigurg() when a process group receives a signal. When FASYNC is configured for a process group (PIDTYPE_PGID), both functions use read_lock(&tasklist_lock) to traverse the task list. However, they are frequently called from softirq context: - send_sigio() via input_inject_event -> kill_fasync - send_sigurg() via tcp_check_urg -> sk_send_sigurg (NET_RX_SOFTIRQ) The deadlock is caused by the rwlock writer fairness mechanism: 1. CPU 0 (process context) holds read_lock(&tasklist_lock) in do_wait(). 2. CPU 1 (process context) attempts write_lock(&tasklist_lock) in fork() or exit() and spins, which blocks all new readers. 3. CPU 0 is interrupted by a softirq (e.g., TCP URG packet reception). 4. The softirq calls send_sigurg() and attempts to acquire read_lock(&tasklist_lock), deadlocking because CPU 1 is waiting. Since PID hashing and do_each_pid_task() traversals are already RCU-protected, the read_lock on tasklist_lock is no longer strictly required for safe traversal. Fix this by replacing tasklist_lock with rcu_read_lock(), aligning the process group signaling path with the single-PID path. This also mitigates a potential remote denial of service vector via TCP URG packets. Lockdep splat: ===================================================== WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected [...] Chain exists of: &dev->event_lock --> &f_owner->lock --> tasklist_lock Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(tasklist_lock); local_irq_disable(); lock(&dev->event_lock); lock(&f_owner->lock); <Interrupt> lock(&dev->event_lock); * DEADLOCK *
Title		fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1bee417678f1135e35b25a37734db46aa94258d2 https://git.kernel.org/stable/c/20a93e397abe850c49b6fa0e8cc827b5f634a8f5 https://git.kernel.org/stable/c/32dbd5ce4be3a3ed7e00f8af18795cc84fc50a33 https://git.kernel.org/stable/c/36c1b57b2ecf3c61ac93f5f07bd29b6f21e226ed https://git.kernel.org/stable/c/54626335ea4174ab2d9a183b511d825f6765e47b https://git.kernel.org/stable/c/897d6a7247739fb1528f98c575df4f2e5de7f994 https://git.kernel.org/stable/c/b5fa9e32fb6718f70c986ee14dd5d01b4846f331 https://git.kernel.org/stable/c/bfcc8e8d8a495bb34cae9e620adfb75fb13a3954

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:26:04.419Z

Updated: 2026-06-24T16:26:04.419Z

Reserved: 2026-06-09T07:44:35.371Z

Link: CVE-2026-52946

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T19:15:15Z

Weaknesses

CWE-662
Improper Synchronization
CWE-665
Improper Initialization

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object