CVE-2026-23355 Overview
A race condition vulnerability has been identified in the Linux kernel's libata subsystem, specifically in the handling of deferred SCSI queue commands (QC). The vulnerability exists in the ata_scsi_deferred_qc_work() function where pending work is not properly canceled after clearing ap->deferred_qc, leading to a WARN_ON() condition that could result in system instability or denial of service.
Critical Impact
This vulnerability allows a race condition where deferred work items can execute at inappropriate times, potentially causing system warnings, instability, or denial of service on Linux systems using ATA/SATA storage devices.
Affected Products
- Linux Kernel (versions with vulnerable libata subsystem)
- Systems using ATA/SATA storage controllers
- Linux distributions running affected kernel versions
Discovery Timeline
- 2026-03-25 - CVE CVE-2026-23355 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-23355
Vulnerability Analysis
The vulnerability resides in the Linux kernel's libata subsystem, which handles ATA/SATA storage device operations. The flaw was discovered by Syzbot, the kernel fuzzing tool, which reported a WARN_ON() trigger in the ata_scsi_deferred_qc_work() function.
The core issue involves improper synchronization between the scheduling of deferred QC work and the clearing of the ap->deferred_qc pointer. While the code properly uses the ap->lock spinlock when assigning and clearing deferred_qc, it fails to cancel any previously scheduled work when the deferred QC is cleared due to a timeout or error condition.
This creates a timing window where stale work items can execute unexpectedly, operating on command contexts that no longer match the original scheduling intent. The vulnerability particularly manifests during mixed NCQ (Native Command Queuing) and non-NCQ command processing scenarios.
Root Cause
The root cause is a missing work cancellation operation when ap->deferred_qc is cleared. The vulnerable code path does not call the appropriate work cancellation function after clearing the deferred QC pointer during error handling or timeout scenarios. This allows previously queued work to remain pending and eventually execute in an invalid context.
The specific problematic sequence occurs when:
- NCQ commands complete and schedule work to issue a deferred non-NCQ command
- An error or timeout clears ap->deferred_qc without canceling the pending work
- The port resets and new commands are queued
- The stale work executes, finding NCQ commands still in flight
Attack Vector
The vulnerability can be triggered through specific sequences of storage I/O operations combined with error conditions. An attacker with local access could potentially craft a series of storage operations designed to trigger timeouts or errors at precise moments, exploiting the race condition.
The attack scenario involves:
- Initiating multiple NCQ commands to an ATA device
- Queuing a non-NCQ command that gets deferred
- Triggering a timeout or error condition (through malformed commands or device manipulation)
- Forcing a port reset followed by new command submission
- Waiting for the stale deferred work to execute
While this vulnerability does not directly enable code execution, the resulting system instability could be leveraged as part of a broader attack chain or to cause denial of service.
Detection Methods for CVE-2026-23355
Indicators of Compromise
- Kernel warning messages containing WARN_ON() in ata_scsi_deferred_qc_work()
- System log entries showing libata subsystem errors with deferred QC references
- Unexpected ATA port resets following storage I/O workloads
- Kernel crash dumps indicating race conditions in the ATA SCSI layer
Detection Strategies
- Monitor kernel logs (dmesg/syslog) for WARN_ON messages referencing ata_scsi_deferred_qc_work or libata subsystem
- Deploy kernel tracing to observe ap->deferred_qc state transitions and work scheduling patterns
- Implement automated log analysis for ATA subsystem error patterns indicative of race conditions
- Use kernel debugging tools (ftrace, perf) to monitor libata work queue operations
Monitoring Recommendations
- Configure centralized logging to aggregate kernel messages from all Linux systems
- Set up alerts for libata warning messages and unexpected port reset events
- Monitor system stability metrics that may indicate kernel-level issues
- Review storage subsystem health reports for anomalous error patterns
How to Mitigate CVE-2026-23355
Immediate Actions Required
- Update affected Linux systems to patched kernel versions containing the fix
- Monitor system logs for signs of exploitation attempts or triggered warnings
- Consider limiting local access to systems with critical storage workloads
- Review and test storage error handling configurations
Patch Information
The Linux kernel maintainers have released patches that ensure pending work is properly canceled after clearing ap->deferred_qc. The fix adds a work cancellation call to properly synchronize the deferred QC handling with work queue operations.
Multiple patch commits are available for different kernel branches:
- Kernel Git Commit 0d12453
- Kernel Git Commit 58e6587
- Kernel Git Commit 6c5e8f1
- Kernel Git Commit aac9b27
Workarounds
- Reduce mixed NCQ and non-NCQ command workloads where possible to minimize race condition exposure
- Implement additional logging to detect and respond to early warning signs of exploitation
- Consider using alternative storage drivers if available for critical systems pending patching
- Apply kernel live patching solutions if immediate reboot is not feasible
# Check current kernel version and apply updates
uname -r
# Update kernel on Debian/Ubuntu systems
sudo apt update && sudo apt upgrade linux-image-generic
# Update kernel on RHEL/CentOS systems
sudo yum update kernel
# Reboot to load patched kernel
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
