CVE-2026-45957

Source
https://cve.org/CVERecord?id=CVE-2026-45957
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45957.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-45957
Downstream
Published
2026-05-27T12:18:13.145Z
Modified
2026-06-18T03:54:30.086497086Z
Summary
rcu: Fix rcu_read_unlock() deadloop due to softirq
Details

In the Linux kernel, the following vulnerability has been resolved:

rcu: Fix rcureadunlock() deadloop due to softirq

Commit 5f5fa7ea89dc ("rcu: Don't use negative nesting depth in __rcureadunlock()") removes the recursion-protection code from __rcureadunlock(). Therefore, we could invoke the deadloop in raisesoftirqirqoff() with ftrace enabled as follows:

WARNING: CPU: 0 PID: 0 at kernel/trace/trace.c:3021 __ftracetracestack.constprop.0+0x172/0x180 Modules linked in: my_irqwork(O) CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G O 6.18.0-rc7-dirty #23 PREEMPT(full) Tainted: [O]=OOTMODULE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:__ftracetracestack.constprop.0+0x172/0x180 RSP: 0018:ffffc900000034a8 EFLAGS: 00010002 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000000000 RDX: 0000000000000003 RSI: ffffffff826d7b87 RDI: ffffffff826e9329 RBP: 0000000000090009 R08: 0000000000000005 R09: ffffffff82afbc4c R10: 0000000000000008 R11: 0000000000011d7a R12: 0000000000000000 R13: ffff888003874100 R14: 0000000000000003 R15: ffff8880038c1054 FS: 0000000000000000(0000) GS:ffff8880fa8ea000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055b31fa7f540 CR3: 00000000078f4005 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <IRQ> tracebufferunlockcommitregs+0x6d/0x220 traceeventbuffercommit+0x5c/0x260 traceeventraweventsoftirq+0x47/0x80 raisesoftirqirqoff+0x6e/0xa0 rcureadunlockspecial+0xb1/0x160 unwindnextframe+0x203/0x9b0 __unwindstart+0x15d/0x1c0 archstackwalk+0x62/0xf0 stacktrace_save+0x48/0x70 __ftracetracestack.constprop.0+0x144/0x180 tracebufferunlockcommitregs+0x6d/0x220 traceeventbuffercommit+0x5c/0x260 traceeventraweventsoftirq+0x47/0x80 raisesoftirqirqoff+0x6e/0xa0 rcureadunlockspecial+0xb1/0x160 unwindnextframe+0x203/0x9b0 __unwindstart+0x15d/0x1c0 archstack_walk+0x62/0xf0 stacktracesave+0x48/0x70 __ftracetracestack.constprop.0+0x144/0x180 tracebufferunlockcommitregs+0x6d/0x220 traceeventbuffercommit+0x5c/0x260 traceeventraweventsoftirq+0x47/0x80 raisesoftirqirqoff+0x6e/0xa0 rcureadunlockspecial+0xb1/0x160 unwindnextframe+0x203/0x9b0 __unwindstart+0x15d/0x1c0 archstackwalk+0x62/0xf0 stacktrace_save+0x48/0x70 __ftracetracestack.constprop.0+0x144/0x180 tracebufferunlockcommitregs+0x6d/0x220 traceeventbuffercommit+0x5c/0x260 traceeventraweventsoftirq+0x47/0x80 raisesoftirqirqoff+0x6e/0xa0 rcureadunlockspecial+0xb1/0x160 __isinsnslot_addr+0x54/0x70 kerneltextaddress+0x48/0xc0 __kerneltextaddress+0xd/0x40 unwind_getreturnaddress+0x1e/0x40 archstackwalk+0x9c/0xf0 stacktracesave+0x48/0x70 __ftracetracestack.constprop.0+0x144/0x180 trace_bufferunlockcommitregs+0x6d/0x220 traceeventbuffercommit+0x5c/0x260 traceeventraweventsoftirq+0x47/0x80 __raisesoftirqirqoff+0x61/0x80 __flushsmpcallfunctionqueue+0x115/0x420 __sysveccallfunctionsingle+0x17/0xb0 sysveccallfunctionsingle+0x8c/0xc0 </IRQ>

Commit b41642c87716 ("rcu: Fix rcureadunlock() deadloop due to IRQ work") fixed the infinite loop in rcureadunlockspecial() for IRQ work by setting a flag before calling irqworkqueueon(). We fix this issue by setting the same flag before calling raisesoftirqirqoff() and rename the flag to deferqspending for more common.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45957.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5f5fa7ea89dc82d34ed458f4d7a8634e8e9eefce
Fixed
979c708e6c9d7fc461daef2dad8b45f22e23464c
Fixed
1f16679a5aa60238466ce339c35f5e82ece60337
Fixed
4a4a6e12c9c829be3f74b7206fa8640fc4e1c566
Fixed
c2932e16d8c354404b17123e64daa8e33191e145
Fixed
d41e37f26b3157b3f1d10223863519a943aa239b

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45957.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.8.0
Fixed
6.6.128
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.75
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.14
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.4

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45957.json"