Description
In the Linux kernel, the following vulnerability has been resolved:

ublk: reset per-IO canceled flag on each fetch

If a ublk server starts recovering devices but dies before issuing fetch
commands for all IOs, cancellation of the fetch commands that were
successfully issued may never complete. This is because the per-IO
canceled flag can remain set even after the fetch for that IO has been
submitted - the per-IO canceled flags for all IOs in a queue are reset
together only once all IOs for that queue have been fetched. So if a
nonempty proper subset of the IOs for a queue are fetched when the ublk
server dies, the IOs in that subset will never successfully be canceled,
as their canceled flags remain set, and this prevents ublk_cancel_cmd
from actually calling io_uring_cmd_done on the commands, despite the
fact that they are outstanding.

Fix this by resetting the per-IO cancel flags immediately when each IO
is fetched instead of waiting for all IOs for the queue (which may never
happen).
Published: 2026-06-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Linux kernel’s ublk driver, associated with improper handling of I/O cancellation (CWE‑821), causes the per‑IO canceled flag to remain set when the server dies before all fetch commands are issued. The flag is only cleared after the entire queue is fetched; thus any subset of pending fetches is left without cancellation. Consequently, outstanding io_uring commands never complete, which can lock the block device and lead to system‑wide I/O stalls, effectively denying service.

Affected Systems

All Linux kernel systems that employ the ublk (user‑space block) subsystem are affected. The advisory does not specify a particular kernel version range, so any instance running the unpatched ublk module could be vulnerable.

Risk and Exploitability

The CVSS score of 5.5 and an EPSS score of < 1% indicate a low exploitation probability. The vulnerability is not listed in the CISA KEV catalog, meaning no known public exploitation. The bug will manifest if a ublk server terminates or crashes while fetching only a subset of queued I/Os. An attacker with local control over the server could induce a crash, causing the device to hang and resources to be exhausted, which poses an availability risk for the host and any clients attached to the affected block device.

Generated by OpenCVE AI on June 25, 2026 at 16:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the ublk cancel‑flag reset fix.
  • Configure ublk servers to perform a graceful shutdown that confirms all fetch commands have been issued before the process exits or implements a retry mechanism for pending fetches.
  • If the ublk subsystem is not required, disable it or restrict access to it while monitoring for abnormal process termination to prevent I/O stalls.

Generated by OpenCVE AI on June 25, 2026 at 16:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-773

Thu, 25 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-821
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low


Wed, 24 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-773

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ublk: reset per-IO canceled flag on each fetch If a ublk server starts recovering devices but dies before issuing fetch commands for all IOs, cancellation of the fetch commands that were successfully issued may never complete. This is because the per-IO canceled flag can remain set even after the fetch for that IO has been submitted - the per-IO canceled flags for all IOs in a queue are reset together only once all IOs for that queue have been fetched. So if a nonempty proper subset of the IOs for a queue are fetched when the ublk server dies, the IOs in that subset will never successfully be canceled, as their canceled flags remain set, and this prevents ublk_cancel_cmd from actually calling io_uring_cmd_done on the commands, despite the fact that they are outstanding. Fix this by resetting the per-IO cancel flags immediately when each IO is fetched instead of waiting for all IOs for the queue (which may never happen).
Title ublk: reset per-IO canceled flag on each fetch
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:30:53.268Z

Reserved: 2026-06-09T07:44:35.386Z

Link: CVE-2026-53124

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53124 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T16:45:03Z

Weaknesses
  • CWE-821

    Incorrect Synchronization