CVE-2026-45895

{"id": "CVE-2026-45895", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "affected": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "affectedData": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "576215cffdefc1f0ceebffd87abb390926e6b037", "lessThan": "37ccd48cf35f3c8b9f2ea961a7b486b91eb71a82", "versionType": "git"}, {"status": "affected", "version": "576215cffdefc1f0ceebffd87abb390926e6b037", "lessThan": "414259caf81a397563fc9baca9c0ef856c4a97cf", "versionType": "git"}, {"status": "affected", "version": "576215cffdefc1f0ceebffd87abb390926e6b037", "lessThan": "02bb1500f1479750e6557c8044f6a2d7e9d30c12", "versionType": "git"}, {"status": "affected", "version": "576215cffdefc1f0ceebffd87abb390926e6b037", "lessThan": "53b2314b26b6640a3657cc924de63a1a8f26ac4d", "versionType": "git"}, {"status": "affected", "version": "576215cffdefc1f0ceebffd87abb390926e6b037", "lessThan": "77449e453dfc006ad738dec55374c4cbc056fd39", "versionType": "git"}], "programFiles": ["fs/quota/quota.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.5"}, {"status": "unaffected", "version": "0", "lessThan": "6.5", "versionType": "semver"}, {"status": "unaffected", "version": "6.6.128", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.12.75", "versionType": "semver", "lessThanOrEqual": "6.12.*"}, {"status": "unaffected", "version": "6.18.14", "versionType": "semver", "lessThanOrEqual": "6.18.*"}, {"status": "unaffected", "version": "6.19.4", "versionType": "semver", "lessThanOrEqual": "6.19.*"}, {"status": "unaffected", "version": "7.0", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["fs/quota/quota.c"], "defaultStatus": "affected"}]}], "published": "2026-05-27T14:17:03.733", "references": [{"url": "https://git.kernel.org/stable/c/02bb1500f1479750e6557c8044f6a2d7e9d30c12", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/37ccd48cf35f3c8b9f2ea961a7b486b91eb71a82", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/414259caf81a397563fc9baca9c0ef856c4a97cf", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/53b2314b26b6640a3657cc924de63a1a8f26ac4d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/77449e453dfc006ad738dec55374c4cbc056fd39", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nquota: fix livelock between quotactl and freeze_super\n\nWhen a filesystem is frozen, quotactl_block() enters a retry loop\nwaiting for the filesystem to thaw. It acquires s_umount, checks the\nfreeze state, drops s_umount and uses sb_start_write() - sb_end_write()\npair to wait for the unfreeze.\n\nHowever, this retry loop can trigger a livelock issue, specifically on\nkernels with preemption disabled.\n\nThe mechanism is as follows:\n1. freeze_super() sets SB_FREEZE_WRITE and calls sb_wait_write().\n2. sb_wait_write() calls percpu_down_write(), which initiates\n synchronize_rcu().\n3. Simultaneously, quotactl_block() spins in its retry loop, immediately\n executing the sb_start_write() - sb_end_write() pair.\n4. Because the kernel is non-preemptible and the loop contains no\n scheduling points, quotactl_block() never yields the CPU. This\n prevents that CPU from reaching an RCU quiescent state.\n5. synchronize_rcu() in the freezer thread waits indefinitely for the\n quotactl_block() CPU to report a quiescent state.\n6. quotactl_block() spins indefinitely waiting for the freezer to\n advance, which it cannot do as it is blocked on the RCU sync.\n\nThis results in a hang of the freezer process and 100% CPU usage by the\nquota process.\n\nWhile this can occur intermittently on multi-core systems, it is\nreliably reproducing on a node with the following script, running both\nthe freezer and the quota toggle on the same CPU:\n\n # mkfs.ext4 -O quota /dev/sda 2g && mkdir a_mount\n # mount /dev/sda -o quota,usrquota,grpquota a_mount\n # taskset -c 3 bash -c \"while true; do xfs_freeze -f a_mount; \\\n xfs_freeze -u a_mount; done\" &\n # taskset -c 3 bash -c \"while true; do quotaon a_mount; \\\n quotaoff a_mount; done\" &\n\nAdding cond_resched() to the retry loop fixes the issue. It acts as an\nRCU quiescent state, allowing synchronize_rcu() in percpu_down_write()\nto complete."}], "lastModified": "2026-06-25T21:09:58.390", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A502C6C1-0CFB-4C9B-8A24-C76507206FA7", "versionEndExcluding": "6.6.128", "versionStartIncluding": "6.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BCE16369-98ED-41CF-8995-DFDC10B288D2", "versionEndExcluding": "6.12.75", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BF463CB7-1F58-4607-B847-77ED23E4B9B7", "versionEndExcluding": "6.18.14", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "672A3E79-EC03-479D-8503-361DFBDC8092", "versionEndExcluding": "6.19.4", "versionStartIncluding": "6.19"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}