CVE-2026-23368

{"id": "CVE-2026-23368", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2026-03-25T11:16:36.167", "references": [{"url": "https://git.kernel.org/stable/c/241cd64cf2e32b28ead151b1795cd8fef2b6e482", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2764dcb3c35de4410f642afc62cf979727470575", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2b01518eabace18f7ec8b4cafd52082303080dca", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/305afdd02ff3e694c165457793104710ec0728e5", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c33523b8fd2d4c504ada18cd93f511f2a8f84217", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c6ffc2d2338d325e1edd0c702e3ee623aa5fdc6a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c8dbdc6e380e7e96a51706db3e4b7870d8a9402d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cde2d0b5ab5d03b5b6f17d4f654d8b30ccf36757", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-667"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: register phy led_triggers during probe to avoid AB-BA deadlock\n\nThere is an AB-BA deadlock when both LEDS_TRIGGER_NETDEV and\nLED_TRIGGER_PHY are enabled:\n\n[ 1362.049207] [<8054e4b8>] led_trigger_register+0x5c/0x1fc <-- Trying to get lock \"triggers_list_lock\" via down_write(&triggers_list_lock);\n[ 1362.054536] [<80662830>] phy_led_triggers_register+0xd0/0x234\n[ 1362.060329] [<8065e200>] phy_attach_direct+0x33c/0x40c\n[ 1362.065489] [<80651fc4>] phylink_fwnode_phy_connect+0x15c/0x23c\n[ 1362.071480] [<8066ee18>] mtk_open+0x7c/0xba0\n[ 1362.075849] [<806d714c>] __dev_open+0x280/0x2b0\n[ 1362.080384] [<806d7668>] __dev_change_flags+0x244/0x24c\n[ 1362.085598] [<806d7698>] dev_change_flags+0x28/0x78\n[ 1362.090528] [<807150e4>] dev_ioctl+0x4c0/0x654 <-- Hold lock \"rtnl_mutex\" by calling rtnl_lock();\n[ 1362.094985] [<80694360>] sock_ioctl+0x2f4/0x4e0\n[ 1362.099567] [<802e9c4c>] sys_ioctl+0x32c/0xd8c\n[ 1362.104022] [<80014504>] syscall_common+0x34/0x58\n\nHere LED_TRIGGER_PHY is registering LED triggers during phy_attach\nwhile holding RTNL and then taking triggers_list_lock.\n\n[ 1362.191101] [<806c2640>] register_netdevice_notifier+0x60/0x168 <-- Trying to get lock \"rtnl_mutex\" via rtnl_lock();\n[ 1362.197073] [<805504ac>] netdev_trig_activate+0x194/0x1e4\n[ 1362.202490] [<8054e28c>] led_trigger_set+0x1d4/0x360 <-- Hold lock \"triggers_list_lock\" by down_read(&triggers_list_lock);\n[ 1362.207511] [<8054eb38>] led_trigger_write+0xd8/0x14c\n[ 1362.212566] [<80381d98>] sysfs_kf_bin_write+0x80/0xbc\n[ 1362.217688] [<8037fcd8>] kernfs_fop_write_iter+0x17c/0x28c\n[ 1362.223174] [<802cbd70>] vfs_write+0x21c/0x3c4\n[ 1362.227712] [<802cc0c4>] ksys_write+0x78/0x12c\n[ 1362.232164] [<80014504>] syscall_common+0x34/0x58\n\nHere LEDS_TRIGGER_NETDEV is being enabled on an LED. It first takes\ntriggers_list_lock and then RTNL. A classical AB-BA deadlock.\n\nphy_led_triggers_registers() does not require the RTNL, it does not\nmake any calls into the network stack which require protection. There\nis also no requirement the PHY has been attached to a MAC, the\ntriggers only make use of phydev state. This allows the call to\nphy_led_triggers_registers() to be placed elsewhere. PHY probe() and\nrelease() don't hold RTNL, so solving the AB-BA deadlock."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad:\n\nnet: phy: registrar los led_triggers del phy durante la sonda para evitar un interbloqueo AB-BA\n\nExiste un interbloqueo AB-BA cuando tanto LEDS_TRIGGER_NETDEV como LED_TRIGGER_PHY est\u00e1n habilitados:\n\n[ 1362.049207] [&lt;8054e4b8&gt;] led_trigger_register+0x5c/0x1fc &lt;-- Intentando obtener el bloqueo 'triggers_list_lock' a trav\u00e9s de down_write(&amp;triggers_list_lock);\n[ 1362.054536] [&lt;80662830&gt;] phy_led_triggers_register+0xd0/0x234\n[ 1362.060329] [&lt;8065e200&gt;] phy_attach_direct+0x33c/0x40c\n[ 1362.065489] [&lt;80651fc4&gt;] phylink_fwnode_phy_connect+0x15c/0x23c\n[ 1362.071480] [&lt;8066ee18&gt;] mtk_open+0x7c/0xba0\n[ 1362.075849] [&lt;806d714c&gt;] __dev_open+0x280/0x2b0\n[ 1362.080384] [&lt;806d7668&gt;] __dev_change_flags+0x244/0x24c\n[ 1362.085598] [&lt;806d7698&gt;] dev_change_flags+0x28/0x78\n[ 1362.090528] [&lt;807150e4&gt;] dev_ioctl+0x4c0/0x654 &lt;-- Mantiene el bloqueo 'rtnl_mutex' al llamar a rtnl_lock();\n[ 1362.094985] [&lt;80694360&gt;] sock_ioctl+0x2f4/0x4e0\n[ 1362.099567] [&lt;802e9c4c&gt;] sys_ioctl+0x32c/0xd8c\n[ 1362.104022] [&lt;80014504&gt;] syscall_common+0x34/0x58\n\nAqu\u00ed LED_TRIGGER_PHY est\u00e1 registrando los disparadores LED durante phy_attach mientras mantiene RTNL y luego toma triggers_list_lock.\n\n[ 1362.191101] [&lt;806c2640&gt;] register_netdevice_notifier+0x60/0x168 &lt;-- Intentando obtener el bloqueo 'rtnl_mutex' a trav\u00e9s de rtnl_lock();\n[ 1362.197073] [&lt;805504ac&gt;] netdev_trig_activate+0x194/0x1e4\n[ 1362.202490] [&lt;8054e28c&gt;] led_trigger_set+0x1d4/0x360 &lt;-- Mantiene el bloqueo 'triggers_list_lock' mediante down_read(&amp;triggers_list_lock);\n[ 1362.207511] [&lt;8054eb38&gt;] led_trigger_write+0xd8/0x14c\n[ 1362.212566] [&lt;80381d98&gt;] sysfs_kf_bin_write+0x80/0xbc\n[ 1362.217688] [&lt;8037fcd8&gt;] kernfs_fop_write_iter+0x17c/0x28c\n[ 1362.223174] [&lt;802cbd70&gt;] vfs_write+0x21c/0x3c4\n[ 1362.227712] [&lt;802cc0c4&gt;] ksys_write+0x78/0x12c\n[ 1362.232164] [&lt;80014504&gt;] syscall_common+0x34/0x58\n\nAqu\u00ed LEDS_TRIGGER_NETDEV est\u00e1 siendo habilitado en un LED. Primero toma triggers_list_lock y luego RTNL. Un interbloqueo AB-BA cl\u00e1sico.\n\nphy_led_triggers_registers() no requiere el RTNL, no realiza ninguna llamada a la pila de red que requiera protecci\u00f3n. Tampoco existe el requisito de que el PHY haya sido conectado a un MAC, los disparadores solo hacen uso del estado de phydev. Esto permite que la llamada a phy_led_triggers_registers() se coloque en otro lugar. PHY probe() y release() no mantienen RTNL, resolviendo as\u00ed el interbloqueo AB-BA."}], "lastModified": "2026-04-24T18:41:33.230", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "96C0EA12-83B8-4804-94AB-EF34257BCBDF", "versionEndExcluding": "5.10.253", "versionStartIncluding": "4.16.1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045", "versionEndExcluding": "5.15.203", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2EDC6BAF-B710-4E26-B6AA-D68922EE7B43", "versionEndExcluding": "6.1.167", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C57BB918-DF28-46B3-94F7-144176841267", "versionEndExcluding": "6.6.130", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "28D591F5-B196-4CC9-905C-DC80F116E7A8", "versionEndExcluding": "6.12.78", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A5E006E4-59C7-43C1-9231-62A72219F2BA", "versionEndExcluding": "6.18.17", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3", "versionEndExcluding": "6.19.7", "versionStartIncluding": "6.19"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:4.16:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F60469AF-0A23-41D3-BC6A-C0D9A45A2CBC"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}