CVE-2026-45949

Source
https://cve.org/CVERecord?id=CVE-2026-45949
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45949.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-45949
Downstream
Published
2026-05-27T12:18:05.718Z
Modified
2026-06-18T03:57:14.331291305Z
Summary
hwrng: core - use RCU and work_struct to fix race condition
Details

In the Linux kernel, the following vulnerability has been resolved:

hwrng: core - use RCU and work_struct to fix race condition

Currently, hwrngfill is not cleared until the hwrngfillfn() thread exits. Since hwrngunregister() reads hwrngfill outside the rngmutex lock, a concurrent hwrngunregister() may call kthread_stop() again on the same task.

Additionally, if hwrngunregister() is called immediately after hwrngregister(), the stopped thread may have never been executed. Thus, hwrngfill remains dirty even after hwrngunregister() returns. In this case, subsequent calls to hwrngregister() will fail to start new threads, and hwrngunregister() will call kthread_stop() on the same freed task. In both cases, a use-after-free occurs:

refcountt: addition on 0; use-after-free. WARNING: ... at lib/refcount.c:25 refcountwarnsaturate+0xec/0x1c0 Call Trace: kthreadstop+0x181/0x360 hwrngunregister+0x288/0x380 virtrngremove+0xe3/0x200

This patch fixes the race by protecting the global hwrngfill pointer inside the rngmutex lock, so that hwrngfillfn() thread is stopped only once, and calls to kthreadrun() and kthread_stop() are serialized with the lock held.

To avoid deadlock in hwrngfillfn() while being stopped with the lock held, we convert currentrng to RCU, so that getcurrentrng() can read currentrng without holding the lock. To remove the lock from putrng(), we also delay the actual cleanup into a work_struct.

Since getcurrentrng() no longer returns ERRPTR values, the ISERR() checks are removed from its callers.

With hwrngfill protected by the rngmutex lock, hwrngfillfn() can no longer clear hwrngfill itself. Therefore, if hwrngfillfn() returns directly after currentrng is dropped, kthreadstop() would be called on a freed taskstruct later. To fix this, hwrngfillfn() calls schedule() now to keep the task alive until being stopped. The kthreadstop() call is also moved from hwrngunregister() to dropcurrentrng(), ensuring kthreadstop() is called on all possible paths where current_rng becomes NULL, so that the thread would not wait forever.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45949.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
be4000bc4644d027c519b6361f5ae3bbfc52c347
Fixed
d5b7730f06994499632026c30e38e0317c4569e2
Fixed
dcf416eb88eafe1e3c0f920a14bdffd10bc4d259
Fixed
ad38f2cdfef9a2f2899c30cad269baec5bfd4a5d
Fixed
cc2f39d6ac48e6e3cb2d6240bc0d6df839dd0828

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45949.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.17.0
Fixed
6.12.75
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.14
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.4

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45949.json"