PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46223 Linux CVE debrief

A vulnerability in the Linux kernel's cgroup subsystem could cause system-wide A-A deadlocks during cgroup rmdir operations. The issue stems from a chain of commits (v7.0+) that reworked rmdir to satisfy controller invariants, specifically the requirement that a subsystem's ->css_offline() must not run while tasks are still doing kernel-side work in the cgroup. The problematic commit sequence moved task cset unlink from do_exit() to finish_task_switch(), causing exiting tasks to linger on cset->tasks until their final context switch. Subsequent commits attempted to bridge the divergence between userspace expectations and kernel requirements, culminating in cgroup_drain_dying() which waits in TASK_UNINTERRUPTIBLE for dying tasks to leave. This wait creates a deadlock when the rmdir caller is also the reaper of zombies that pin a pidns teardown (e.g., host PID 1 systemd reaping orphan pids), as the reaper becomes blocked waiting for pids that cannot free because the reaper itself is stuck. The fix defers css percpu_ref kill on rmdir until the cgroup is depopulated, making the css killing chain asynchronous so that rmdir returns once cgroup.procs is empty while ->css_offline() runs only after full drainage. A related pre-existing race exists in cgroup_apply_control_disable() when controllers are disabled via subtree_control; this patch preserves synchronous behavior at that call site with a follow-up patch planned to address it.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

Linux system administrators, container platform operators, Kubernetes cluster operators, and anyone running workloads with frequent cgroup creation/destruction cycles or namespace teardown operations

Technical summary

The Linux kernel's cgroup subsystem contained a deadlock vulnerability in the rmdir path introduced by commits beginning in v7.0. The cgroup_drain_dying() function waits in TASK_UNINTERRUPTIBLE for dying tasks to leave a cgroup being removed. When the process performing rmdir is also the zombie reaper for processes in a pid namespace being torn down (common with systemd as PID 1), this creates a circular dependency: rmdir waits for pids to free, but those pids cannot free because their reaper is blocked in rmdir. The resolution makes css (cgroup subsystem) killing asynchronous, deferring percpu_ref_kill_and_confirm() until after all tasks have actually left the cgroup, allowing rmdir to return immediately when cgroup.procs becomes empty while maintaining the controller invariant that ->css_offline() runs only after kernel-side work completes.

Defensive priority

high

Recommended defensive actions

  • Apply kernel patches from stable tree commits referenced in CVE record
  • Prioritize patching systems running systemd or similar init systems as PID 1 that perform cgroup management
  • Monitor for kernel stable updates backporting this fix
  • Review systems with heavy cgroup churn or frequent namespace teardown operations
  • Test cgroup rmdir operations under load after patching to verify deadlock resolution

Evidence notes

Vulnerability description confirms this is a resolved Linux kernel issue with deadlock impact. The fix involves deferring css percpu_ref kill until cgroup depopulation, verified against original reproducer involving pidns teardown and zombie reaper scenarios. No CVSS score or severity assigned by NVD at time of disclosure.

Official resources

2026-05-28