CVE-2026-46173

In the Linux kernel, the following vulnerability has been resolved:

exit: prevent preemption of oopsing TASK_DEAD task

When an already-exiting task oopses, maketaskdead() currently calls dotaskdead() with preemption enabled. That is forbidden: dotaskdead() calls __schedule(), which has a comment saying "WARNING: must be called with preemption disabled!".

If an oopsing task is preempted in dotaskdead(), between becoming TASKDEAD and entering the scheduler explicitly, bad things happen: finishtaskswitch() assumes that once the scheduler has switched away from a TASKDEAD task, the task can never run again and its stack is no longer needed; but that assumption apparently doesn't hold if the dead task was preempted (the SM_PREEMPT case).

This means that the scheduler ends up repeatedly dropping references on the dead task's stack, which can lead to use-after-free or double-free of the entire task stack; in other words, two tasks can end up running on the same stack, resulting in various kinds of memory corruption.

(This does not just affect "recursively oopsing" tasks; it is enough to oops once during task exit, for example in a file_operations::release handler)