PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46051 Linux CVE debrief

A soft lockup vulnerability exists in the Linux kernel's md/raid5 driver, specifically within the retry_aligned_read() function. The issue arises when an overlapped stripe is encountered during read operations. The function releases the stripe via raid5_release_stripe(), placing it on a lockless released_stripes linked list. In subsequent raid5d loop iterations, release_stripe_list() moves the stripe to handle_list due to the STRIPE_HANDLE flag being set. However, retry_aligned_read() executes before handle_active_stripes() and removes the stripe from handle_list through find_get_stripe() -> list_del_init(). This prevents handle_stripe() from ever processing the stripe to resolve the overlap, resulting in an infinite loop and soft lockup condition. The vulnerability was resolved by modifying the failure path to use __release_stripe() with temp_inactive_list instead of raid5_release_stripe(), ensuring the stripe bypasses the released_stripes llist and allowing raid5d to exit its loop. The overlap is subsequently resolved when handle_stripe() processes the stripe.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

System administrators managing Linux servers with md/raid5 configurations, kernel maintainers, distribution security teams, and organizations running storage infrastructure on Linux software RAID5 arrays.

Technical summary

The vulnerability is a race condition in the Linux kernel's Multiple Device (md) RAID5 driver. The retry_aligned_read() function mishandles stripe release when encountering overlapped stripes, causing an infinite loop in the raid5d kernel thread. The root cause is improper list management: stripes released via raid5_release_stripe() are requeued to handle_list, but retry_aligned_read() removes them before handle_active_stripes() can process them, preventing overlap resolution. The fix replaces raid5_release_stripe() with __release_stripe() using temp_inactive_list in the failure path, breaking the infinite loop and allowing proper stripe processing.

Defensive priority

high

Recommended defensive actions

  • Apply kernel updates from distribution vendors containing the md/raid5 fix for retry_aligned_read()
  • Monitor stable kernel releases for backported patches to affected versions
  • Review systems utilizing md/raid5 for signs of soft lockup events in kernel logs
  • Prioritize patching on systems with heavy RAID5 I/O workloads
  • Validate kernel version post-update to confirm inclusion of fix commits

Evidence notes

Vulnerability description and fix details sourced from official CVE record and NVD entry. Multiple kernel.org stable tree commits provided as references indicate backports to affected stable kernel branches.

Official resources

2026-05-27