CVE-2026-46063 Linux CVE debrief

Who should care

Linux kernel maintainers, distribution security teams, organizations running x86_64 Linux with Intel CET shadow stack enabled, cloud providers offering confidential computing with memory integrity features, and security-conscious enterprises using control-flow protection mechanisms.

Technical summary

The vulnerability occurs in arch/x86/kernel/shstk.c during signal return processing. The original code held mmap_read_lock() while accessing userspace shadow stack memory to validate VMA flags. This created a reentrancy hazard: copy_from_user() could page fault, and handle_mm_fault() would recursively attempt mmap_read_lock(). With a concurrent writer pending, the second reader would block, creating deadlock with the writer waiting for the first reader to release. The fix introduces speculative lockless access using mm_lock_seq sequence counters (available via PER_VMA_LOCK) to detect concurrent modifications without holding the lock across the copy. The patchset also removes an optimization that skipped validation when SSP was assumed on shadow stack, making security-critical code paths more uniform and testable.

Defensive priority

high

Recommended defensive actions

• Apply kernel patches from stable branches once available for your distribution
• Verify kernel configuration includes CONFIG_PER_VMA_LOCK=y for shadow stack support
• Monitor distribution security advisories for backported fixes
• Review systems using Control-Flow Enforcement Technology (CET) with shadow stacks
• Consider disabling shadow stack features temporarily on critical systems if patches unavailable and threat model warrants
• Audit for any observed system hangs or deadlocks during signal-heavy workloads as potential exploitation indicators

Evidence notes

CVE published 2026-05-27. Kernel commit references indicate fixes applied to stable branches. No CVSS score or severity assigned by NVD at time of disclosure.

Official resources