CVE-2026-46050 (GCVE-0-2026-46050)

Vulnerability from cvelistv5 – Published: 2026-05-27 12:57 – Updated: 2026-05-27 12:57
VLAI
Title
md/raid10: fix deadlock with check operation and nowait requests
Summary
In the Linux kernel, the following vulnerability has been resolved: md/raid10: fix deadlock with check operation and nowait requests When an array check is running it will raise the barrier at which point normal requests will become blocked and increment the nr_pending value to signal there is work pending inside of wait_barrier(). NOWAIT requests do not block and so will return immediately with an error, and additionally do not increment nr_pending in wait_barrier(). Upstream change commit 43806c3d5b9b ("raid10: cleanup memleak at raid10_make_request") added a call to raid_end_bio_io() to fix a memory leak when NOWAIT requests hit this condition. raid_end_bio_io() eventually calls allow_barrier() and it will unconditionally do an atomic_dec_and_test(&conf->nr_pending) even though the corresponding increment on nr_pending didn't happen in the NOWAIT case. This can be easily seen by starting a check operation while an application is doing nowait IO on the same array. This results in a deadlocked state due to nr_pending value underflowing and so the md resync thread gets stuck waiting for nr_pending to == 0. Output of r10conf state of the array when we hit this condition: crash> struct r10conf barrier = 1, nr_pending = { counter = -41 }, nr_waiting = 15, nr_queued = 0, Example of md_sync thread stuck waiting on raise_barrier() and other requests stuck in wait_barrier(): md1_resync [<0>] raise_barrier+0xce/0x1c0 [<0>] raid10_sync_request+0x1ca/0x1ed0 [<0>] md_do_sync+0x779/0x1110 [<0>] md_thread+0x90/0x160 [<0>] kthread+0xbe/0xf0 [<0>] ret_from_fork+0x34/0x50 [<0>] ret_from_fork_asm+0x1a/0x30 kworker/u1040:2+flush-253:4 [<0>] wait_barrier+0x1de/0x220 [<0>] regular_request_wait+0x30/0x180 [<0>] raid10_make_request+0x261/0x1000 [<0>] md_handle_request+0x13b/0x230 [<0>] __submit_bio+0x107/0x1f0 [<0>] submit_bio_noacct_nocheck+0x16f/0x390 [<0>] ext4_io_submit+0x24/0x40 [<0>] ext4_do_writepages+0x254/0xc80 [<0>] ext4_writepages+0x84/0x120 [<0>] do_writepages+0x7a/0x260 [<0>] __writeback_single_inode+0x3d/0x300 [<0>] writeback_sb_inodes+0x1dd/0x470 [<0>] __writeback_inodes_wb+0x4c/0xe0 [<0>] wb_writeback+0x18b/0x2d0 [<0>] wb_workfn+0x2a1/0x400 [<0>] process_one_work+0x149/0x330 [<0>] worker_thread+0x2d2/0x410 [<0>] kthread+0xbe/0xf0 [<0>] ret_from_fork+0x34/0x50 [<0>] ret_from_fork_asm+0x1a/0x30
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 8fc3d7b23d139e3cbc944c15d99b3cdbed797d2d , < 965d6162dd88cc7cc193cf7f5bfc132d8bbf0523 (git)
Affected: 2941155d9a5ae098b480d551f3a5f8605d4f9af5 , < 42fe37c90184cd1568838b84b488934c3671c963 (git)
Affected: 43806c3d5b9bb7d74ba4e33a6a8a41ac988bde24 , < cac2106bb9a2180b288079b49ed626414fb5bc45 (git)
Affected: 43806c3d5b9bb7d74ba4e33a6a8a41ac988bde24 , < 1cdff2937c618f81058422bbdc4974a3e7ec9379 (git)
Affected: 43806c3d5b9bb7d74ba4e33a6a8a41ac988bde24 , < 7d96f3120a7fb7210d21b520c5b6f495da6ba436 (git)
Affected: 10c6021a609deb95f23f0cc2f89aa9d4bffb14c7 (git)
Affected: 9af149ca9d0dab6e59e813519d309eff62499864 (git)
Affected: ed7bcd9f617e4107ac0813c516e72e6b8f6029bd (git)
Affected: 6.6.99 , < 6.6.140 (semver)
Affected: 6.12.39 , < 6.12.86 (semver)
Affected: 5.15.189 , < 5.16 (semver)
Affected: 6.1.146 , < 6.2 (semver)
Affected: 6.15.7 , < 6.16 (semver)
Create a notification for this product.
Linux Linux Affected: 6.16
Unaffected: 0 , < 6.16 (semver)
Unaffected: 6.6.140 , ≤ 6.6.* (semver)
Unaffected: 6.12.86 , ≤ 6.12.* (semver)
Unaffected: 6.18.27 , ≤ 6.18.* (semver)
Unaffected: 7.0.4 , ≤ 7.0.* (semver)
Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/raid10.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "965d6162dd88cc7cc193cf7f5bfc132d8bbf0523",
              "status": "affected",
              "version": "8fc3d7b23d139e3cbc944c15d99b3cdbed797d2d",
              "versionType": "git"
            },
            {
              "lessThan": "42fe37c90184cd1568838b84b488934c3671c963",
              "status": "affected",
              "version": "2941155d9a5ae098b480d551f3a5f8605d4f9af5",
              "versionType": "git"
            },
            {
              "lessThan": "cac2106bb9a2180b288079b49ed626414fb5bc45",
              "status": "affected",
              "version": "43806c3d5b9bb7d74ba4e33a6a8a41ac988bde24",
              "versionType": "git"
            },
            {
              "lessThan": "1cdff2937c618f81058422bbdc4974a3e7ec9379",
              "status": "affected",
              "version": "43806c3d5b9bb7d74ba4e33a6a8a41ac988bde24",
              "versionType": "git"
            },
            {
              "lessThan": "7d96f3120a7fb7210d21b520c5b6f495da6ba436",
              "status": "affected",
              "version": "43806c3d5b9bb7d74ba4e33a6a8a41ac988bde24",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "10c6021a609deb95f23f0cc2f89aa9d4bffb14c7",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "9af149ca9d0dab6e59e813519d309eff62499864",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "ed7bcd9f617e4107ac0813c516e72e6b8f6029bd",
              "versionType": "git"
            },
            {
              "lessThan": "6.6.140",
              "status": "affected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThan": "6.12.86",
              "status": "affected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThan": "5.16",
              "status": "affected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThan": "6.2",
              "status": "affected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThan": "6.16",
              "status": "affected",
              "version": "6.15.7",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/raid10.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.16"
            },
            {
              "lessThan": "6.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.6.99",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "6.12.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1-rc1",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.15.189",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.1.146",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.15.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid10: fix deadlock with check operation and nowait requests\n\nWhen an array check is running it will raise the barrier at which point\nnormal requests will become blocked and increment the nr_pending value to\nsignal there is work pending inside of wait_barrier(). NOWAIT requests\ndo not block and so will return immediately with an error, and additionally\ndo not increment nr_pending in wait_barrier(). Upstream change commit\n43806c3d5b9b (\"raid10: cleanup memleak at raid10_make_request\") added a\ncall to raid_end_bio_io() to fix a memory leak when NOWAIT requests hit\nthis condition. raid_end_bio_io() eventually calls allow_barrier() and\nit will unconditionally do an atomic_dec_and_test(\u0026conf-\u003enr_pending) even\nthough the corresponding increment on nr_pending didn\u0027t happen in the\nNOWAIT case.\n\nThis can be easily seen by starting a check operation while an application\nis doing nowait IO on the same array. This results in a deadlocked state\ndue to nr_pending value underflowing and so the md resync thread gets stuck\nwaiting for nr_pending to == 0.\n\nOutput of r10conf state of the array when we hit this condition:\n\ncrash\u003e struct r10conf\n\tbarrier = 1,\n        nr_pending = {\n          counter = -41\n        },\n        nr_waiting = 15,\n        nr_queued = 0,\n\nExample of md_sync thread stuck waiting on raise_barrier() and other\nrequests stuck in wait_barrier():\n\nmd1_resync\n[\u003c0\u003e] raise_barrier+0xce/0x1c0\n[\u003c0\u003e] raid10_sync_request+0x1ca/0x1ed0\n[\u003c0\u003e] md_do_sync+0x779/0x1110\n[\u003c0\u003e] md_thread+0x90/0x160\n[\u003c0\u003e] kthread+0xbe/0xf0\n[\u003c0\u003e] ret_from_fork+0x34/0x50\n[\u003c0\u003e] ret_from_fork_asm+0x1a/0x30\n\nkworker/u1040:2+flush-253:4\n[\u003c0\u003e] wait_barrier+0x1de/0x220\n[\u003c0\u003e] regular_request_wait+0x30/0x180\n[\u003c0\u003e] raid10_make_request+0x261/0x1000\n[\u003c0\u003e] md_handle_request+0x13b/0x230\n[\u003c0\u003e] __submit_bio+0x107/0x1f0\n[\u003c0\u003e] submit_bio_noacct_nocheck+0x16f/0x390\n[\u003c0\u003e] ext4_io_submit+0x24/0x40\n[\u003c0\u003e] ext4_do_writepages+0x254/0xc80\n[\u003c0\u003e] ext4_writepages+0x84/0x120\n[\u003c0\u003e] do_writepages+0x7a/0x260\n[\u003c0\u003e] __writeback_single_inode+0x3d/0x300\n[\u003c0\u003e] writeback_sb_inodes+0x1dd/0x470\n[\u003c0\u003e] __writeback_inodes_wb+0x4c/0xe0\n[\u003c0\u003e] wb_writeback+0x18b/0x2d0\n[\u003c0\u003e] wb_workfn+0x2a1/0x400\n[\u003c0\u003e] process_one_work+0x149/0x330\n[\u003c0\u003e] worker_thread+0x2d2/0x410\n[\u003c0\u003e] kthread+0xbe/0xf0\n[\u003c0\u003e] ret_from_fork+0x34/0x50\n[\u003c0\u003e] ret_from_fork_asm+0x1a/0x30"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T12:57:06.732Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/965d6162dd88cc7cc193cf7f5bfc132d8bbf0523"
        },
        {
          "url": "https://git.kernel.org/stable/c/42fe37c90184cd1568838b84b488934c3671c963"
        },
        {
          "url": "https://git.kernel.org/stable/c/cac2106bb9a2180b288079b49ed626414fb5bc45"
        },
        {
          "url": "https://git.kernel.org/stable/c/1cdff2937c618f81058422bbdc4974a3e7ec9379"
        },
        {
          "url": "https://git.kernel.org/stable/c/7d96f3120a7fb7210d21b520c5b6f495da6ba436"
        }
      ],
      "title": "md/raid10: fix deadlock with check operation and nowait requests",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46050",
    "datePublished": "2026-05-27T12:57:06.732Z",
    "dateReserved": "2026-05-13T15:03:33.094Z",
    "dateUpdated": "2026-05-27T12:57:06.732Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-46050",
      "date": "2026-05-29",
      "epss": "0.00018",
      "percentile": "0.05164"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-46050\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-27T14:17:24.547\",\"lastModified\":\"2026-05-27T14:48:03.013\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmd/raid10: fix deadlock with check operation and nowait requests\\n\\nWhen an array check is running it will raise the barrier at which point\\nnormal requests will become blocked and increment the nr_pending value to\\nsignal there is work pending inside of wait_barrier(). NOWAIT requests\\ndo not block and so will return immediately with an error, and additionally\\ndo not increment nr_pending in wait_barrier(). Upstream change commit\\n43806c3d5b9b (\\\"raid10: cleanup memleak at raid10_make_request\\\") added a\\ncall to raid_end_bio_io() to fix a memory leak when NOWAIT requests hit\\nthis condition. raid_end_bio_io() eventually calls allow_barrier() and\\nit will unconditionally do an atomic_dec_and_test(\u0026conf-\u003enr_pending) even\\nthough the corresponding increment on nr_pending didn\u0027t happen in the\\nNOWAIT case.\\n\\nThis can be easily seen by starting a check operation while an application\\nis doing nowait IO on the same array. This results in a deadlocked state\\ndue to nr_pending value underflowing and so the md resync thread gets stuck\\nwaiting for nr_pending to == 0.\\n\\nOutput of r10conf state of the array when we hit this condition:\\n\\ncrash\u003e struct r10conf\\n\\tbarrier = 1,\\n        nr_pending = {\\n          counter = -41\\n        },\\n        nr_waiting = 15,\\n        nr_queued = 0,\\n\\nExample of md_sync thread stuck waiting on raise_barrier() and other\\nrequests stuck in wait_barrier():\\n\\nmd1_resync\\n[\u003c0\u003e] raise_barrier+0xce/0x1c0\\n[\u003c0\u003e] raid10_sync_request+0x1ca/0x1ed0\\n[\u003c0\u003e] md_do_sync+0x779/0x1110\\n[\u003c0\u003e] md_thread+0x90/0x160\\n[\u003c0\u003e] kthread+0xbe/0xf0\\n[\u003c0\u003e] ret_from_fork+0x34/0x50\\n[\u003c0\u003e] ret_from_fork_asm+0x1a/0x30\\n\\nkworker/u1040:2+flush-253:4\\n[\u003c0\u003e] wait_barrier+0x1de/0x220\\n[\u003c0\u003e] regular_request_wait+0x30/0x180\\n[\u003c0\u003e] raid10_make_request+0x261/0x1000\\n[\u003c0\u003e] md_handle_request+0x13b/0x230\\n[\u003c0\u003e] __submit_bio+0x107/0x1f0\\n[\u003c0\u003e] submit_bio_noacct_nocheck+0x16f/0x390\\n[\u003c0\u003e] ext4_io_submit+0x24/0x40\\n[\u003c0\u003e] ext4_do_writepages+0x254/0xc80\\n[\u003c0\u003e] ext4_writepages+0x84/0x120\\n[\u003c0\u003e] do_writepages+0x7a/0x260\\n[\u003c0\u003e] __writeback_single_inode+0x3d/0x300\\n[\u003c0\u003e] writeback_sb_inodes+0x1dd/0x470\\n[\u003c0\u003e] __writeback_inodes_wb+0x4c/0xe0\\n[\u003c0\u003e] wb_writeback+0x18b/0x2d0\\n[\u003c0\u003e] wb_workfn+0x2a1/0x400\\n[\u003c0\u003e] process_one_work+0x149/0x330\\n[\u003c0\u003e] worker_thread+0x2d2/0x410\\n[\u003c0\u003e] kthread+0xbe/0xf0\\n[\u003c0\u003e] ret_from_fork+0x34/0x50\\n[\u003c0\u003e] ret_from_fork_asm+0x1a/0x30\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1cdff2937c618f81058422bbdc4974a3e7ec9379\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/42fe37c90184cd1568838b84b488934c3671c963\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7d96f3120a7fb7210d21b520c5b6f495da6ba436\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/965d6162dd88cc7cc193cf7f5bfc132d8bbf0523\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/cac2106bb9a2180b288079b49ed626414fb5bc45\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.