Impact
Writing "clear" to an md array's array_state in the Linux kernel triggers sysfs_unbreak_active_protection while the array is pending delayed deletion. The temp kobject reference from sysfs_break_active_protection may become the last reference protecting the md kobject. When sysfs_unbreak_active_protection releases that reference, kobject teardown recurses into kernfs removal while the sysfs write path is still unwound, leading lockdep to report a recursive lock acquisition on kn->active. This race can culminate in a kernel deadlock, stalling kernel threads and potentially causing a kernel panic or significant service disruption. The flaw is a concurrent-state violation.
Affected Systems
All Linux kernel binaries that contain the buggy sysfs handling for md arrays, specifically those prior to the commit c/2aa72276fab9851dbd59c2daeb4b590c5a113908. This encompasses the standard kernel packages provided by Linux distributions.
Risk and Exploitability
The defect only manifests when a privileged user writes to /sys/block/.../array_state, so local root or equivalent privileged access is required. This requirement is inferred from the CVE description, which indicates that writing to sysfs requires privileged access typically reserved for root. No public exploits are known, and the EPSS score is not available. The CVSS score of 5.5 indicates moderate severity. Although the likelihood of exploitation in typical environments is limited, the potential impact of a kernel deadlock warrants immediate attention in systems that manage md arrays.
OpenCVE Enrichment