Description
In the Linux kernel, the following vulnerability has been resolved:

drbd: Balance RCU calls in drbd_adm_dump_devices()

Make drbd_adm_dump_devices() call rcu_read_lock() before
rcu_read_unlock() is called. This has been detected by the Clang
thread-safety analyzer.
Published: 2026-06-24
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates in the Linux kernel's DRBD subsystem, where drbd_adm_dump_devices() incorrectly orders RCU lock operations, calling rcu_read_unlock() before acquiring rcu_read_lock(). This race condition can corrupt shared data accessed during device dumps and may cause a kernel panic, resulting in a denial‑of‑service. The defect was identified by Clang's thread‑safety analyzer and reflects a concurrency flaw that could be leveraged by an attacker with the ability to trigger the dump routine or invoke the vulnerable function while the kernel is running.

Affected Systems

All Linux kernel implementations are affected as the generic Linux kernel CPE (cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*) indicates no version restrictions. The flaw exists in any kernel build that still contains the unbalanced RCU calls in drbd_adm_dump_devices() until the patch is applied.

Risk and Exploitability

There is no CVSS score in the provided data, and the EPSS score is not available, so the exploitation probability cannot be quantified precisely. The vulnerability is not listed in CISA's KEV catalog. The defect is a race condition that can lead to a denial‑of‑service by crashing the kernel. Based on the description, it is inferred that exploiting the vulnerability would require local privileged access to execute drbd_adm_dump_devices(). This suggests the risk is significant for systems that run the DRBD subsystem and allow the dump function to be invoked by privileged users.

Generated by OpenCVE AI on June 25, 2026 at 02:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel patch that balances the RCU lock ordering in drbd_adm_dump_devices()
  • If upgrading is not feasible, restrict execution of drbd_adm_dump_devices to trusted privileged users or disable the command if possible
  • For systems running DRBD, consider disabling the DRBD service or unmounting DRBD devices until the kernel patch is applied

Generated by OpenCVE AI on June 25, 2026 at 02:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Thu, 25 Jun 2026 00:15:00 +0000


Wed, 24 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drbd: Balance RCU calls in drbd_adm_dump_devices() Make drbd_adm_dump_devices() call rcu_read_lock() before rcu_read_unlock() is called. This has been detected by the Clang thread-safety analyzer.
Title drbd: Balance RCU calls in drbd_adm_dump_devices()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:30:55.911Z

Reserved: 2026-06-09T07:44:35.386Z

Link: CVE-2026-53128

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53128 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T04:30:07Z

Weaknesses
  • CWE-362

    Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

  • CWE-416

    Use After Free

  • CWE-832

    Unlock of a Resource that is not Locked