CVE-2026-52977 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

futex: Prevent lockup in requeue-PI during signal/ timeout wakeup

During wait-requeue-pi (task A) and requeue-PI (task B) the following
race can happen:

Task A Task B
futex_wait_requeue_pi()
futex_setup_timer()
futex_do_wait()
futex_requeue()
CLASS(hb, hb1)(&key1);
CLASS(hb, hb2)(&key2);
*timeout*
futex_requeue_pi_wakeup_sync()
requeue_state = Q_REQUEUE_PI_IGNORE

*blocks on hb->lock*

futex_proxy_trylock_atomic()
futex_requeue_pi_prepare()
Q_REQUEUE_PI_IGNORE => -EAGAIN
double_unlock_hb(hb1, hb2)
*retry*

Task B acquires both hb locks and attempts to acquire the PI-lock of the
top most waiter (task B). Task A is leaving early due to a signal/
timeout and started removing itself from the queue. It updates its
requeue_state but can not remove it from the list because this requires
the hb lock which is owned by task B.

Usually task A is able to swoop the lock after task B unlocked it.
However if task B is of higher priority then task A may not be able to
wake up in time and acquire the lock before task B gets it again.
Especially on a UP system where A is never scheduled.

As a result task A blocks on the lock and task B busy loops, trying to
make progress but live locks the system instead. Tragic.

This can be fixed by removing the top most waiter from the list in this
case. This allows task B to grab the next top waiter (if any) in the
next iteration and make progress.

Remove the top most waiter if futex_requeue_pi_prepare() fails.
Let the waiter conditionally remove itself from the list in
handle_early_requeue_pi_wakeup().

Published: 2026-06-24

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A race can arise during futex wait‑requeue‑PI and requeue‑PI when a task leaves early due to a signal or timeout while another higher‑priority task holds the futex. The leaving task cannot remove itself from the wait queue because it cannot acquire the required hold‑bucket lock; it blocks, and the other task busy‑loops trying to re‑queue, resulting in a live‑lock that stalls system progress. The impact is a denial of service at the kernel level, preventing all tasks from continuing and potentially freezing the system. The weakness is a concurrency race involving improper lock handling.

Affected Systems

Affected product: Linux kernel. The vendor is Linux, and the product is the kernel as a whole. Specific affected kernel versions are not listed in the provided data, so any kernel build that includes the unfixed futex implementation before the commit that fixes the issue may be vulnerable.

Risk and Exploitability

The CVSS score is not available, so the severity is unspecified. EPSS exploitation probability is also not reported, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the most likely attack vector is local kernel exploitation, requiring the attacker to trigger a futex requeue while holding a higher‑priority task. Because the flaw leads to a livelock that can lock up the whole system, the potential impact is high. The lack of official metrics suggests careful monitoring of kernel updates and awareness of the underlying concurrency weakness.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`07d91ef510fb16a2e0ca7453222105835b7ba3b8`	affected	< 4e0ed44e51727d56244a822ab941efe507c47966
`07d91ef510fb16a2e0ca7453222105835b7ba3b8`	affected	< e3f95b1ba242e37093305812df7fdbe7288a43ac
`07d91ef510fb16a2e0ca7453222105835b7ba3b8`	affected	< 0aacb6d18f76552e3e0ee25d9f40d21b3486f4cf
`07d91ef510fb16a2e0ca7453222105835b7ba3b8`	affected	< 69a7cfc66405aeaa2483147653d031b3592ffc9c
`07d91ef510fb16a2e0ca7453222105835b7ba3b8`	affected	< 0304d60abb9dcc02bc7fe6d1850f4ca206e8f1a0
`07d91ef510fb16a2e0ca7453222105835b7ba3b8`	affected	< bc7304f3ae20972d11db6e0b1b541c63feda5f05

Linux

affected

Version	Status	Constraints
`5.15`	affected	—
`0`	unaffected	< 5.15
`6.1.175`	unaffected	≤ 6.1.*
`6.6.141`	unaffected	≤ 6.6.*
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Ensure your system runs a Linux kernel version that contains the fix for the futex requeue‑PI race. Check your distribution’s security advisories or Linux kernel change logs, and apply the update through your package manager or by compiling the latest kernel from source.
If you use custom kernel modules that depend on futex requeue‑PI behavior, review those modules for potential risk and update or remove them until the kernel fix is applied.
As a temporary measure, limit activities that trigger futex requeue‑PI (e.g., avoid patterns that cause high‑priority tasks to interleave with low‑priority waiters) until an update is available.
Follow best practices for concurrency: keep kernel and libraries up to date, audit for other potential race conditions, and monitor system logs for signs of busy‑loop activity or lock contention.

Generated by OpenCVE AI on June 24, 2026 at 18:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0304d60abb9dcc02bc7fe6d1850f4ca206e8f1a0
https://git.kernel.org/stable/c/0aacb6d18f76552e3e0ee25d9f40d21b3486f4cf
https://git.kernel.org/stable/c/4e0ed44e51727d56244a822ab941efe507c47966
https://git.kernel.org/stable/c/69a7cfc66405aeaa2483147653d031b3592ffc9c
https://git.kernel.org/stable/c/bc7304f3ae20972d11db6e0b1b541c63feda5f05
https://git.kernel.org/stable/c/e3f95b1ba242e37093305812df7fdbe7288a43ac

History

Wed, 24 Jun 2026 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-823 CWE-937

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: futex: Prevent lockup in requeue-PI during signal/ timeout wakeup During wait-requeue-pi (task A) and requeue-PI (task B) the following race can happen: Task A Task B futex_wait_requeue_pi() futex_setup_timer() futex_do_wait() futex_requeue() CLASS(hb, hb1)(&key1); CLASS(hb, hb2)(&key2); timeout futex_requeue_pi_wakeup_sync() requeue_state = Q_REQUEUE_PI_IGNORE blocks on hb->lock futex_proxy_trylock_atomic() futex_requeue_pi_prepare() Q_REQUEUE_PI_IGNORE => -EAGAIN double_unlock_hb(hb1, hb2) retry Task B acquires both hb locks and attempts to acquire the PI-lock of the top most waiter (task B). Task A is leaving early due to a signal/ timeout and started removing itself from the queue. It updates its requeue_state but can not remove it from the list because this requires the hb lock which is owned by task B. Usually task A is able to swoop the lock after task B unlocked it. However if task B is of higher priority then task A may not be able to wake up in time and acquire the lock before task B gets it again. Especially on a UP system where A is never scheduled. As a result task A blocks on the lock and task B busy loops, trying to make progress but live locks the system instead. Tragic. This can be fixed by removing the top most waiter from the list in this case. This allows task B to grab the next top waiter (if any) in the next iteration and make progress. Remove the top most waiter if futex_requeue_pi_prepare() fails. Let the waiter conditionally remove itself from the list in handle_early_requeue_pi_wakeup().
Title		futex: Prevent lockup in requeue-PI during signal/ timeout wakeup
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0304d60abb9dcc02bc7fe6d1850f4ca206e8f1a0 https://git.kernel.org/stable/c/0aacb6d18f76552e3e0ee25d9f40d21b3486f4cf https://git.kernel.org/stable/c/4e0ed44e51727d56244a822ab941efe507c47966 https://git.kernel.org/stable/c/69a7cfc66405aeaa2483147653d031b3592ffc9c https://git.kernel.org/stable/c/bc7304f3ae20972d11db6e0b1b541c63feda5f05 https://git.kernel.org/stable/c/e3f95b1ba242e37093305812df7fdbe7288a43ac

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:28:53.937Z

Updated: 2026-06-24T16:28:53.937Z

Reserved: 2026-06-09T07:44:35.376Z

Link: CVE-2026-52977

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T19:00:06Z

Weaknesses

CWE-823
Use of Out-of-range Pointer Offset
CWE-937

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object