PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45949 Linux CVE debrief

A use-after-free vulnerability in the Linux kernel's hardware random number generator (hwrng) core could allow local attackers to trigger memory corruption. The flaw stems from a race condition where hwrng_unregister() could call kthread_stop() multiple times on the same task_struct due to unsynchronized access to the global hwrng_fill pointer. Additionally, rapid register/unregister sequences could leave hwrng_fill in a dirty state, causing subsequent operations to fail or reference freed memory. The vulnerability manifests as refcount_t warnings and potential kernel crashes. The fix implements RCU protection for current_rng access, serializes kthread operations under rng_mutex, and introduces a work_struct for delayed cleanup to prevent deadlocks.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Linux system administrators, kernel maintainers, cloud infrastructure operators using virtio-rng, and security teams monitoring for local privilege escalation vectors in multi-tenant environments

Technical summary

The hwrng core subsystem in the Linux kernel contained a race condition where concurrent hwrng_register() and hwrng_unregister() operations could manipulate the global hwrng_fill pointer without adequate synchronization. The hwrng_fillfn() kernel thread was not cleared until thread exit, but hwrng_unregister() accessed it outside rng_mutex, enabling double kthread_stop() calls. Rapid register/unregister sequences could also leave hwrng_fill dirty, causing subsequent hwrng_register() calls to fail and hwrng_unregister() to reference freed task_struct memory. The fix converts current_rng access to RCU protection, protects hwrng_fill under rng_mutex, moves kthread_stop() to drop_current_rng() for consistent cleanup paths, and introduces work_struct-based delayed cleanup to avoid deadlocks. The hwrng_fillfn() thread now calls schedule() to remain alive until properly stopped.

Defensive priority

high

Recommended defensive actions

  • Apply kernel updates containing commits ad38f2cdfef9, cc2f39d6ac48, d5b7730f0699, or dcf416eb88ea from the stable kernel tree
  • Monitor kernel logs for refcount_t warnings or kthread_stop() related oopses as potential exploitation indicators
  • Restrict access to hwrng device nodes (/dev/hwrng, /dev/random backend interfaces) to trusted processes only
  • Review systems utilizing virtual RNG drivers (virtio-rng) for abnormal kernel behavior
  • Consider disabling hardware RNG fallback mechanisms if not required for operational security posture

Evidence notes

The vulnerability description indicates this is a resolved Linux kernel issue affecting the hwrng core subsystem. The race condition involves hwrng_fill pointer management outside proper locking, with specific crash signatures including refcount_t saturation warnings in kthread_stop() paths. Multiple stable kernel commits are referenced, suggesting backports to affected versions. The virtrng_remove() call trace indicates virtual RNG drivers are affected attack vectors.

Official resources

2026-05-27