CVE-2026-46031 (GCVE-0-2026-46031)

Vulnerability from cvelistv5 – Published: 2026-05-27 12:56 – Updated: 2026-05-27 12:56
VLAI
Title
net: ks8851: Reinstate disabling of BHs around IRQ handler
Summary
In the Linux kernel, the following vulnerability has been resolved: net: ks8851: Reinstate disabling of BHs around IRQ handler If the driver executes ks8851_irq() AND a TX packet has been sent, then the driver enables TX queue via netif_wake_queue() which schedules TX softirq to queue packets for this device. If CONFIG_PREEMPT_RT=y is set AND a packet has also been received by the MAC, then ks8851_rx_pkts() calls netdev_alloc_skb_ip_align() to allocate SKBs for the received packets. If netdev_alloc_skb_ip_align() is called with BH enabled, then local_bh_enable() at the end of netdev_alloc_skb_ip_align() will trigger the pending softirq processing, which may ultimately call the .xmit callback ks8851_start_xmit_par(). The ks8851_start_xmit_par() will try to lock struct ks8851_net_par .lock spinlock, which is already locked by ks8851_irq() from which ks8851_start_xmit_par() was called. This leads to a deadlock, which is reported by the kernel, including a trace listed below. If CONFIG_PREEMPT_RT is not set, then since commit 0913ec336a6c0 ("net: ks8851: Fix deadlock with the SPI chip variant") the deadlock can also be triggered without received packet in the RX FIFO. The pending softirqs will be processed on return from spin_unlock_bh(&ks->statelock) in ks8851_irq(), which triggers the deadlock as well. Fix the problem by disabling BH around critical sections, including the IRQ handler, thus preventing the net_tx_action() softirq from triggering during these critical sections. The net_tx_action() softirq is triggered once BH are re-enabled and at the end of the IRQ handler, once all the other IRQ handler actions have been completed. __schedule from schedule_rtlock+0x1c/0x34 schedule_rtlock from rtlock_slowlock_locked+0x548/0x904 rtlock_slowlock_locked from rt_spin_lock+0x60/0x9c rt_spin_lock from ks8851_start_xmit_par+0x74/0x1a8 ks8851_start_xmit_par from netdev_start_xmit+0x20/0x44 netdev_start_xmit from dev_hard_start_xmit+0xd0/0x188 dev_hard_start_xmit from sch_direct_xmit+0xb8/0x25c sch_direct_xmit from __qdisc_run+0x1f8/0x4ec __qdisc_run from qdisc_run+0x1c/0x28 qdisc_run from net_tx_action+0x1f0/0x268 net_tx_action from handle_softirqs+0x1a4/0x270 handle_softirqs from __local_bh_enable_ip+0xcc/0xe0 __local_bh_enable_ip from __alloc_skb+0xd8/0x128 __alloc_skb from __netdev_alloc_skb+0x3c/0x19c __netdev_alloc_skb from ks8851_irq+0x388/0x4d4 ks8851_irq from irq_thread_fn+0x24/0x64 irq_thread_fn from irq_thread+0x178/0x28c irq_thread from kthread+0x12c/0x138 kthread from ret_from_fork+0x14/0x28
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: ae87f661f3c1a3134a7ed86ab69bf9f12af88993 , < 640a7631d31db87d5fa1b34cea44a99b6e78854b (git)
Affected: e0863634bf9f7cf36291ebb5bfa2d16632f79c49 , < 518040324067d8efaa2da1992297b7e7bf5640f4 (git)
Affected: e0863634bf9f7cf36291ebb5bfa2d16632f79c49 , < be8aad558b4675f45b43080f81a9ffdeddea73a5 (git)
Affected: e0863634bf9f7cf36291ebb5bfa2d16632f79c49 , < 21f1707a8e978558dcb11b053855521e32ac0eec (git)
Affected: e0863634bf9f7cf36291ebb5bfa2d16632f79c49 , < 5c9fcac3c872224316714d0d8914d9af16c76a6d (git)
Affected: 8a3ff43dcbab7c96f9e8cf2bd1049ab8d6e59545 (git)
Affected: 7e2901a2a9195da76111f351584bf77552a038f0 (git)
Affected: 6.6.31 , < 6.6.140 (semver)
Affected: 6.1.91 , < 6.2 (semver)
Affected: 6.8.10 , < 6.9 (semver)
Create a notification for this product.
Linux Linux Affected: 6.9
Unaffected: 0 , < 6.9 (semver)
Unaffected: 6.6.140 , ≤ 6.6.* (semver)
Unaffected: 6.12.86 , ≤ 6.12.* (semver)
Unaffected: 6.18.27 , ≤ 6.18.* (semver)
Unaffected: 7.0.4 , ≤ 7.0.* (semver)
Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/micrel/ks8851.h",
            "drivers/net/ethernet/micrel/ks8851_common.c",
            "drivers/net/ethernet/micrel/ks8851_par.c",
            "drivers/net/ethernet/micrel/ks8851_spi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "640a7631d31db87d5fa1b34cea44a99b6e78854b",
              "status": "affected",
              "version": "ae87f661f3c1a3134a7ed86ab69bf9f12af88993",
              "versionType": "git"
            },
            {
              "lessThan": "518040324067d8efaa2da1992297b7e7bf5640f4",
              "status": "affected",
              "version": "e0863634bf9f7cf36291ebb5bfa2d16632f79c49",
              "versionType": "git"
            },
            {
              "lessThan": "be8aad558b4675f45b43080f81a9ffdeddea73a5",
              "status": "affected",
              "version": "e0863634bf9f7cf36291ebb5bfa2d16632f79c49",
              "versionType": "git"
            },
            {
              "lessThan": "21f1707a8e978558dcb11b053855521e32ac0eec",
              "status": "affected",
              "version": "e0863634bf9f7cf36291ebb5bfa2d16632f79c49",
              "versionType": "git"
            },
            {
              "lessThan": "5c9fcac3c872224316714d0d8914d9af16c76a6d",
              "status": "affected",
              "version": "e0863634bf9f7cf36291ebb5bfa2d16632f79c49",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "8a3ff43dcbab7c96f9e8cf2bd1049ab8d6e59545",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "7e2901a2a9195da76111f351584bf77552a038f0",
              "versionType": "git"
            },
            {
              "lessThan": "6.6.140",
              "status": "affected",
              "version": "6.6.31",
              "versionType": "semver"
            },
            {
              "lessThan": "6.2",
              "status": "affected",
              "version": "6.1.91",
              "versionType": "semver"
            },
            {
              "lessThan": "6.9",
              "status": "affected",
              "version": "6.8.10",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/micrel/ks8851.h",
            "drivers/net/ethernet/micrel/ks8851_common.c",
            "drivers/net/ethernet/micrel/ks8851_par.c",
            "drivers/net/ethernet/micrel/ks8851_spi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1-rc1",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.1.91",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.8.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ks8851: Reinstate disabling of BHs around IRQ handler\n\nIf the driver executes ks8851_irq() AND a TX packet has been sent, then\nthe driver enables TX queue via netif_wake_queue() which schedules TX\nsoftirq to queue packets for this device.\n\nIf CONFIG_PREEMPT_RT=y is set AND a packet has also been received by\nthe MAC, then ks8851_rx_pkts() calls netdev_alloc_skb_ip_align() to\nallocate SKBs for the received packets. If netdev_alloc_skb_ip_align()\nis called with BH enabled, then local_bh_enable() at the end of\nnetdev_alloc_skb_ip_align() will trigger the pending softirq processing,\nwhich may ultimately call the .xmit callback ks8851_start_xmit_par().\nThe ks8851_start_xmit_par() will try to lock struct ks8851_net_par\n.lock spinlock, which is already locked by ks8851_irq() from which\nks8851_start_xmit_par() was called. This leads to a deadlock, which\nis reported by the kernel, including a trace listed below.\n\nIf CONFIG_PREEMPT_RT is not set, then since commit 0913ec336a6c0\n(\"net: ks8851: Fix deadlock with the SPI chip variant\") the deadlock\ncan also be triggered without received packet in the RX FIFO. The\npending softirqs will be processed on return from\nspin_unlock_bh(\u0026ks-\u003estatelock) in ks8851_irq(), which triggers the\ndeadlock as well.\n\nFix the problem by disabling BH around critical sections, including the\nIRQ handler, thus preventing the net_tx_action() softirq from triggering\nduring these critical sections. The net_tx_action() softirq is triggered\nonce BH are re-enabled and at the end of the IRQ handler, once all the\nother IRQ handler actions have been completed.\n\n __schedule from schedule_rtlock+0x1c/0x34\n schedule_rtlock from rtlock_slowlock_locked+0x548/0x904\n rtlock_slowlock_locked from rt_spin_lock+0x60/0x9c\n rt_spin_lock from ks8851_start_xmit_par+0x74/0x1a8\n ks8851_start_xmit_par from netdev_start_xmit+0x20/0x44\n netdev_start_xmit from dev_hard_start_xmit+0xd0/0x188\n dev_hard_start_xmit from sch_direct_xmit+0xb8/0x25c\n sch_direct_xmit from __qdisc_run+0x1f8/0x4ec\n __qdisc_run from qdisc_run+0x1c/0x28\n qdisc_run from net_tx_action+0x1f0/0x268\n net_tx_action from handle_softirqs+0x1a4/0x270\n handle_softirqs from __local_bh_enable_ip+0xcc/0xe0\n __local_bh_enable_ip from __alloc_skb+0xd8/0x128\n __alloc_skb from __netdev_alloc_skb+0x3c/0x19c\n __netdev_alloc_skb from ks8851_irq+0x388/0x4d4\n ks8851_irq from irq_thread_fn+0x24/0x64\n irq_thread_fn from irq_thread+0x178/0x28c\n irq_thread from kthread+0x12c/0x138\n kthread from ret_from_fork+0x14/0x28"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T12:56:40.357Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/640a7631d31db87d5fa1b34cea44a99b6e78854b"
        },
        {
          "url": "https://git.kernel.org/stable/c/518040324067d8efaa2da1992297b7e7bf5640f4"
        },
        {
          "url": "https://git.kernel.org/stable/c/be8aad558b4675f45b43080f81a9ffdeddea73a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/21f1707a8e978558dcb11b053855521e32ac0eec"
        },
        {
          "url": "https://git.kernel.org/stable/c/5c9fcac3c872224316714d0d8914d9af16c76a6d"
        }
      ],
      "title": "net: ks8851: Reinstate disabling of BHs around IRQ handler",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46031",
    "datePublished": "2026-05-27T12:56:40.357Z",
    "dateReserved": "2026-05-13T15:03:33.093Z",
    "dateUpdated": "2026-05-27T12:56:40.357Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-46031",
      "date": "2026-05-29",
      "epss": "0.00018",
      "percentile": "0.05164"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-46031\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-27T14:17:22.057\",\"lastModified\":\"2026-05-27T14:48:03.013\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: ks8851: Reinstate disabling of BHs around IRQ handler\\n\\nIf the driver executes ks8851_irq() AND a TX packet has been sent, then\\nthe driver enables TX queue via netif_wake_queue() which schedules TX\\nsoftirq to queue packets for this device.\\n\\nIf CONFIG_PREEMPT_RT=y is set AND a packet has also been received by\\nthe MAC, then ks8851_rx_pkts() calls netdev_alloc_skb_ip_align() to\\nallocate SKBs for the received packets. If netdev_alloc_skb_ip_align()\\nis called with BH enabled, then local_bh_enable() at the end of\\nnetdev_alloc_skb_ip_align() will trigger the pending softirq processing,\\nwhich may ultimately call the .xmit callback ks8851_start_xmit_par().\\nThe ks8851_start_xmit_par() will try to lock struct ks8851_net_par\\n.lock spinlock, which is already locked by ks8851_irq() from which\\nks8851_start_xmit_par() was called. This leads to a deadlock, which\\nis reported by the kernel, including a trace listed below.\\n\\nIf CONFIG_PREEMPT_RT is not set, then since commit 0913ec336a6c0\\n(\\\"net: ks8851: Fix deadlock with the SPI chip variant\\\") the deadlock\\ncan also be triggered without received packet in the RX FIFO. The\\npending softirqs will be processed on return from\\nspin_unlock_bh(\u0026ks-\u003estatelock) in ks8851_irq(), which triggers the\\ndeadlock as well.\\n\\nFix the problem by disabling BH around critical sections, including the\\nIRQ handler, thus preventing the net_tx_action() softirq from triggering\\nduring these critical sections. The net_tx_action() softirq is triggered\\nonce BH are re-enabled and at the end of the IRQ handler, once all the\\nother IRQ handler actions have been completed.\\n\\n __schedule from schedule_rtlock+0x1c/0x34\\n schedule_rtlock from rtlock_slowlock_locked+0x548/0x904\\n rtlock_slowlock_locked from rt_spin_lock+0x60/0x9c\\n rt_spin_lock from ks8851_start_xmit_par+0x74/0x1a8\\n ks8851_start_xmit_par from netdev_start_xmit+0x20/0x44\\n netdev_start_xmit from dev_hard_start_xmit+0xd0/0x188\\n dev_hard_start_xmit from sch_direct_xmit+0xb8/0x25c\\n sch_direct_xmit from __qdisc_run+0x1f8/0x4ec\\n __qdisc_run from qdisc_run+0x1c/0x28\\n qdisc_run from net_tx_action+0x1f0/0x268\\n net_tx_action from handle_softirqs+0x1a4/0x270\\n handle_softirqs from __local_bh_enable_ip+0xcc/0xe0\\n __local_bh_enable_ip from __alloc_skb+0xd8/0x128\\n __alloc_skb from __netdev_alloc_skb+0x3c/0x19c\\n __netdev_alloc_skb from ks8851_irq+0x388/0x4d4\\n ks8851_irq from irq_thread_fn+0x24/0x64\\n irq_thread_fn from irq_thread+0x178/0x28c\\n irq_thread from kthread+0x12c/0x138\\n kthread from ret_from_fork+0x14/0x28\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/21f1707a8e978558dcb11b053855521e32ac0eec\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/518040324067d8efaa2da1992297b7e7bf5640f4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5c9fcac3c872224316714d0d8914d9af16c76a6d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/640a7631d31db87d5fa1b34cea44a99b6e78854b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/be8aad558b4675f45b43080f81a9ffdeddea73a5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.