Description
In the Linux kernel, the following vulnerability has been resolved:

timers/migration: Fix livelock in tmigr_handle_remote_up()

tmigr_handle_remote_cpu() skips timer_expire_remote() when cpu ==
smp_processor_id(), assuming the local softirq path already handled this
CPU's timers.

This assumption is wrong because jiffies can advance after the handling of
the CPU's global timers in run_timer_base(BASE_GLOBAL) and before
tmigr_handle_remote() evaluates the expiry times.

As a consequence a timer which expires after the CPU local timer wheel
advanced and becomes expired in the remote handling is ignored and the
callback is never invoked and removed from the timer wheel.

What's worse is that fetch_next_timer_interrupt_remote() keeps reporting it
as expired, and the event is re-queued with expires == now on each
iteration. The goto-again loop spins indefinitely.

Fix this by calling timer_expire_remote() unconditionally. That's minimal
overhead for the common case as __run_timer_base() returns immediately if
there is nothing to expire in the local wheel.

[ tglx: Amend change log and add a comment ]
Published: 2026-06-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel suffered a livelock in the timers/migration routine tmigr_handle_remote_up(); when the CPU equals smp_processor_id(), the code mistakenly skips calling timer_expire_remote() under the assumption that the local softirq path has already processed timers. In reality, jiffies may advance between the handling of the local wheel and the remote migration check the local wheel has moved forward is incorrectly ignored and never executed, while fetch_next_timer_interrupt_remote() continues to report it as expired and keeps re‑queuing it with the current time, causing an infinite spin loop and fully consuming CPU resources for that core. This loss of available CPU time results in a denial of service to all other kernel activity on the affected core; the attack is inferred to be triggered when a timer expires after the local wheel has advanced, a condition that can arise naturally in typical workloads, and is therefore likely to occur in systems that have not been patched.

Affected Systems

All Linux kernel releases that include the timers/migration code without the fix are affected; the patch is present in kernel commits starting with 07b3b83587fb and later. This issue applies to any distribution that ships the unmodified kernel from before those commits, so custom builds, older releases, or kernels that have not been updated to incorporate the referenced changes are at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates a high availability impact, and the EPSS score of < 1% indicates that public exploitation opportunities are expected to be rare. The vulnerability is not listed in the CISA only wheel has advanced—an event that can be induced by standard system activity—the occurrence probability remains low but the impact, when triggered, is severe. Exploitation would therefore rely on delivery.

Generated by OpenCVE AI on June 28, 2026 at 14:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that includes commit 07b3b83587fb or any later commit that implements the unconditional call to timer_expire_remote() and resolves the livelock.
  • Reboot the system after the update to load the fixed kernel and terminate any lingering timer loops that may have been triggered before the patch was applied.
  • If the kernel is built from a custom source, cherry‑pick the fixing commit or rebuild the kernel with a version that contains the patch, then install the updated kernel.

Generated by OpenCVE AI on June 28, 2026 at 14:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Fri, 26 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Fri, 26 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Thu, 25 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665
CWE-835

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: timers/migration: Fix livelock in tmigr_handle_remote_up() tmigr_handle_remote_cpu() skips timer_expire_remote() when cpu == smp_processor_id(), assuming the local softirq path already handled this CPU's timers. This assumption is wrong because jiffies can advance after the handling of the CPU's global timers in run_timer_base(BASE_GLOBAL) and before tmigr_handle_remote() evaluates the expiry times. As a consequence a timer which expires after the CPU local timer wheel advanced and becomes expired in the remote handling is ignored and the callback is never invoked and removed from the timer wheel. What's worse is that fetch_next_timer_interrupt_remote() keeps reporting it as expired, and the event is re-queued with expires == now on each iteration. The goto-again loop spins indefinitely. Fix this by calling timer_expire_remote() unconditionally. That's minimal overhead for the common case as __run_timer_base() returns immediately if there is nothing to expire in the local wheel. [ tglx: Amend change log and add a comment ]
Title timers/migration: Fix livelock in tmigr_handle_remote_up()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:39:54.094Z

Reserved: 2026-06-09T07:44:35.390Z

Link: CVE-2026-53180

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53180 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:30:07Z

Weaknesses
  • CWE-835

    Loop with Unreachable Exit Condition ('Infinite Loop')