CVE-2026-23110 Overview
A race condition vulnerability has been identified in the Linux kernel's SCSI core subsystem. The vulnerability exists in the error handler wake-up mechanism when final command completions race against each other. The fragile ordering between marking commands completed or failed causes the error handler to only wake when the last running command completes or times out, but race conditions in this logic can prevent the error handler from being properly awakened, resulting in I/O operations through the SCSI host becoming stuck.
Critical Impact
This vulnerability can cause the SCSI layer to fail to wake the error handler, leaving I/O operations stuck as the error state cannot advance, potentially leading to system hangs or denial of service conditions.
Affected Products
- Linux kernel (SCSI core subsystem)
- Systems utilizing SCSI storage controllers
- Enterprise servers and storage appliances running affected kernel versions
Discovery Timeline
- 2026-02-04 - CVE-2026-23110 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2026-23110
Vulnerability Analysis
This vulnerability represents a race condition in the Linux kernel's SCSI error handling subsystem. The core issue involves memory ordering problems within the scsi_dec_host_busy() function and general ordering issues with scsi_eh_inc_host_failed(). These race conditions affect the synchronization between command completion tracking and error handler invocation.
The vulnerability manifests through two distinct race condition scenarios that can prevent proper error handler wake-up:
Memory Ordering Issue: The write operation that clears SCMD_STATE_INFLIGHT may be reordered with reads counting in scsi_host_busy(). While the local CPU sees its own write, reordering allows other CPUs in scsi_dec_host_busy() or scsi_eh_inc_host_failed() to observe a raised busy count, causing no CPU to see a host busy equal to the host_failed count.
General Ordering Issue: By counting busy commands before incrementing host_failed, the function can race with a final command in scsi_dec_host_busy(), where neither path wakes the error handler task.
Root Cause
The root cause is improper memory synchronization and operation ordering in the SCSI subsystem's command completion and error handling code paths. Specifically:
- Missing memory barriers on the error path fail to force write visibility before counting host busy commands
- The call to scsi_host_busy() occurs before host_failed is incremented, creating a race window where neither the command completion path nor the error increment path triggers the error handler wake-up
Attack Vector
This vulnerability is triggered through internal kernel operations rather than direct external attack. The race condition occurs when multiple SCSI commands complete or fail simultaneously, causing timing-dependent failures in the error handler wake-up logic. An attacker with local access could potentially craft workloads that increase the likelihood of triggering this race condition, leading to denial of service through stuck I/O operations.
The vulnerability manifests in the scsi_dec_host_busy() and scsi_eh_inc_host_failed() functions within the SCSI core subsystem. The fix involves adding a memory barrier on the error path to ensure proper write visibility and reordering the scsi_host_busy() call to occur after host_failed is incremented. Technical details and patch implementations are available in the kernel git commits.
Detection Methods for CVE-2026-23110
Indicators of Compromise
- Unexplained I/O operations hanging or timing out on SCSI-connected storage devices
- SCSI error handler processes appearing stuck or unresponsive in process listings
- Kernel logs showing SCSI command timeouts without subsequent error recovery
- System performance degradation with storage subsystems becoming unresponsive
Detection Strategies
- Monitor kernel logs for SCSI error handler anomalies and command timeout patterns
- Implement system monitoring for stuck I/O operations using tools like iostat or iotop
- Deploy SentinelOne Singularity Platform for real-time kernel behavior monitoring and anomaly detection
- Review /proc/scsi/ statistics for abnormal command completion patterns
Monitoring Recommendations
- Enable verbose SCSI logging temporarily to capture detailed error handler behavior
- Set up alerts for extended I/O wait times exceeding normal thresholds
- Monitor system call latencies related to storage operations
- Implement automated recovery procedures for detected I/O stalls
How to Mitigate CVE-2026-23110
Immediate Actions Required
- Identify all Linux systems running potentially affected kernel versions
- Review vendor advisories for specific affected kernel version ranges
- Schedule maintenance windows to apply kernel patches
- Implement monitoring for symptoms of the race condition on production systems
- Consider workload distribution to reduce SCSI subsystem stress during patching
Patch Information
The Linux kernel development team has released patches addressing this race condition. The fix implements a memory barrier on the error path to ensure proper write visibility and reorders the scsi_host_busy() call to execute after host_failed is incremented.
Patches are available through the following kernel git commits:
Workarounds
- Reduce concurrent SCSI command load where possible to minimize race condition trigger likelihood
- Implement automated system restart procedures for detected I/O hang conditions
- Consider using alternative storage paths or controllers if available
- Ensure system monitoring is in place to detect and alert on stuck I/O conditions
# Check current kernel version and SCSI module status
uname -r
lsmod | grep scsi
cat /proc/scsi/scsi
# Monitor for SCSI errors in system logs
dmesg | grep -i scsi
journalctl -k | grep -i "scsi\|error handler"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
