PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46304 Linux CVE debrief

A vulnerability was found in the Linux kernel, specifically in the nvmet subsystem. This vulnerability could lead to a recursive locking warning due to a flawed teardown path in the nvmet_ctrl_free function. The issue arises when nvmet_tcp_release_queue_work runs on nvmet-wq and drops the final controller reference through nvmet_cq_put, potentially triggering nvmet_ctrl_free. This triggers a flush of ctrl->async_event_work on the same nvmet-wq, leading to a possible recursive locking warning.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-08
Original CVE updated
2026-06-14
Advisory published
2026-06-08
Advisory updated
2026-06-14

Who should care

System administrators and users of Linux kernel versions affected by this vulnerability should be concerned. This vulnerability has the potential to cause a denial-of-service (DoS) attack, as it can lead to a system crash or instability.

Technical summary

The vulnerability is caused by a recursive locking issue in the nvmet subsystem of the Linux kernel. The call chain leading to the issue is as follows: nvmet_tcp_schedule_release_queue, nvmet_tcp_release_queue, queue_work(nvmet_wq, &queue->release_work), nvmet_tcp_release_queue_work, nvmet_cq_put, nvmet_cq_destroy, nvmet_ctrl_put, nvmet_ctrl_free, and flush_work(&ctrl->async_event_work). This recursive locking issue can cause a system crash or instability.

Defensive priority

High

Recommended defensive actions

  • Update the Linux kernel to a version that includes the fix for this vulnerability.
  • Apply the patches provided by the Linux kernel maintainers to address this issue.

Evidence notes

The evidence for this vulnerability comes from the Linux kernel source code and the National Vulnerability Database (NVD).

Official resources

This vulnerability was publicly disclosed on June 8, 2026.