CVE-2026-52946

In the Linux kernel, the following vulnerability has been resolved: fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling A SOFTIRQ-safe to SOFTIRQ-unsafe lock order deadlock can occur in send_sigio() and send_sigurg() when a process group receives a signal. When FASYNC is configured for a process group (PIDTYPE_PGID), both functions use read_lock(&tasklist_lock) to traverse the task list. However, they are frequently called from softirq context: - send_sigio() via input_inject_event -> kill_fasync - send_sigurg() via tcp_check_urg -> sk_send_sigurg (NET_RX_SOFTIRQ) The deadlock is caused by the rwlock writer fairness mechanism: 1. CPU 0 (process context) holds read_lock(&tasklist_lock) in do_wait(). 2. CPU 1 (process context) attempts write_lock(&tasklist_lock) in fork() or exit() and spins, which blocks all new readers. 3. CPU 0 is interrupted by a softirq (e.g., TCP URG packet reception). 4. The softirq calls send_sigurg() and attempts to acquire read_lock(&tasklist_lock), deadlocking because CPU 1 is waiting. Since PID hashing and do_each_pid_task() traversals are already RCU-protected, the read_lock on tasklist_lock is no longer strictly required for safe traversal. Fix this by replacing tasklist_lock with rcu_read_lock(), aligning the process group signaling path with the single-PID path. This also mitigates a potential remote denial of service vector via TCP URG packets. Lockdep splat: ===================================================== WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected [...] Chain exists of: &dev->event_lock --> &f_owner->lock --> tasklist_lock Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(tasklist_lock); local_irq_disable(); lock(&dev->event_lock); lock(&f_owner->lock); <Interrupt> lock(&dev->event_lock); *** DEADLOCK ***
https://nvd.nist.gov/vuln/detail/CVE-2026-52946

Categories

No category defined

References

 

AFFECTED (from MITRE)

---

Vendor	Product	Versions
Linux	Linux	1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 54626335ea4174ab2d9a183b511d825f6765e47b [affected] 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 897d6a7247739fb1528f98c575df4f2e5de7f994 [affected] 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 32dbd5ce4be3a3ed7e00f8af18795cc84fc50a33 [affected] 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < b5fa9e32fb6718f70c986ee14dd5d01b4846f331 [affected] 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 1bee417678f1135e35b25a37734db46aa94258d2 [affected] 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 20a93e397abe850c49b6fa0e8cc827b5f634a8f5 [affected] 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < bfcc8e8d8a495bb34cae9e620adfb75fb13a3954 [affected] 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 36c1b57b2ecf3c61ac93f5f07bd29b6f21e226ed [affected] < 5.10.259 [affected] < 5.15.210 [affected] < 6.1.176 [affected] < 6.6.143 [affected] < 6.12.94 [affected] < 6.18.36 [affected] < 7.0.13 [affected] < 7.1.1 [affected]
Linux	Linux	5.10.259 ≤ 5.10.* [unaffected] 5.15.210 ≤ 5.15.* [unaffected] 6.1.176 ≤ 6.1.* [unaffected] 6.6.143 ≤ 6.6.* [unaffected] 6.12.94 ≤ 6.12.* [unaffected] 6.18.36 ≤ 6.18.* [unaffected] 7.0.13 ≤ 7.0.* [unaffected] 7.1.1 ≤ 7.1.* [unaffected]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe	start	end
Configuration 1
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*		< 5.10.259
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*		< 5.15.210
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*		< 6.1.176
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*		< 6.6.143
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*		< 6.12.94
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*		< 6.18.36
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*		< 7.0.13
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*		< 7.1.1

---

REMEDIATION

---

---

EXPLOITS

---

Exploit-db.com

id	description	date
No known exploits

---

POC Github

Url
No known exploits

---

Other Nist (github, ...)

Url
No known exploits

---

CAPEC

---

Common Attack Pattern Enumerations and Classifications

id	description	severity
No entry

---