Description
In the Linux kernel, the following vulnerability has been resolved:

quota: Fix race of dquot_scan_active() with quota deactivation

dquot_scan_active() can race with quota deactivation in
quota_release_workfn() like:

CPU0 (quota_release_workfn) CPU1 (dquot_scan_active)
============================== ==============================
spin_lock(&dq_list_lock);
list_replace_init(
&releasing_dquots, &rls_head);
/* dquot X on rls_head,
dq_count == 0,
DQ_ACTIVE_B still set */
spin_unlock(&dq_list_lock);
synchronize_srcu(&dquot_srcu);
spin_lock(&dq_list_lock);
list_for_each_entry(dquot,
&inuse_list, dq_inuse) {
/* finds dquot X */
dquot_active(X) -> true
atomic_inc(&X->dq_count);
}
spin_unlock(&dq_list_lock);
spin_lock(&dq_list_lock);
dquot = list_first_entry(&rls_head);
WARN_ON_ONCE(atomic_read(&dquot->dq_count));

The problem is not only a cosmetic one as under memory pressure the
caller of dquot_scan_active() can end up working on freed dquot.

Fix the problem by making sure the dquot is removed from releasing list
when we acquire a reference to it.
Published: 2026-06-24
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The race between dquot_release_workfn and dquot_scan_active allows a user to trigger a use‑after‑free of a dquot object. When a dquot is released while another thread scans active quots, the freed object can be accessed under memory pressure, leading to memory corruption that can crash the kernel or potentially be leveraged for privilege escalation. This weakness is a race condition (CWE‑362) that results in a use‑after‑free (CWE‑617).

Affected Systems

The flaw exists in the Linux kernel's quota subsystem. All kernel builds that include the quota implementation and expose a quota_release_workfn path are affected, including mainstream distribution kernels running community editions of Linux. No specific version list is given, so any kernel prior to the patch commit is impacted.

Risk and Exploitability

The lack of an EPSS score or KEV listing indicates that public exploitation has not been documented. Nonetheless, the flaw permits local memory corruption and could be exploited by a user with sufficient permissions. Attackers would normally need to trigger a quota deactivation while another thread is scanning active quots, which may require user‑level interaction. Because the bug is not exposed to unprivileged users through the network, the practical attack surface is moderate, but the potential for privilege escalation remains high.

Generated by OpenCVE AI on June 24, 2026 at 19:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that includes the patch committed in 2bdc80f4619411e5bd4a3ef23f51e14021ed457c
  • If an immediate upgrade is not possible, rebuild the kernel from source with the patched code or backport the change to the running kernel
  • Ensure that only privileged users can trigger quota deactivation or modify quota limits to reduce the probability of the race condition occurring

Generated by OpenCVE AI on June 24, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-617

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: quota: Fix race of dquot_scan_active() with quota deactivation dquot_scan_active() can race with quota deactivation in quota_release_workfn() like: CPU0 (quota_release_workfn) CPU1 (dquot_scan_active) ============================== ============================== spin_lock(&dq_list_lock); list_replace_init( &releasing_dquots, &rls_head); /* dquot X on rls_head, dq_count == 0, DQ_ACTIVE_B still set */ spin_unlock(&dq_list_lock); synchronize_srcu(&dquot_srcu); spin_lock(&dq_list_lock); list_for_each_entry(dquot, &inuse_list, dq_inuse) { /* finds dquot X */ dquot_active(X) -> true atomic_inc(&X->dq_count); } spin_unlock(&dq_list_lock); spin_lock(&dq_list_lock); dquot = list_first_entry(&rls_head); WARN_ON_ONCE(atomic_read(&dquot->dq_count)); The problem is not only a cosmetic one as under memory pressure the caller of dquot_scan_active() can end up working on freed dquot. Fix the problem by making sure the dquot is removed from releasing list when we acquire a reference to it.
Title quota: Fix race of dquot_scan_active() with quota deactivation
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:29:56.043Z

Reserved: 2026-06-09T07:44:35.381Z

Link: CVE-2026-53050

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T19:30:08Z

Weaknesses
  • CWE-362

    Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

  • CWE-617

    Reachable Assertion