CVE-2026-43054 Overview
CVE-2026-43054 is a medium-severity vulnerability in the Linux kernel SCSI target subsystem, specifically in the tcm_loop driver. The flaw stems from tcm_loop_target_reset() violating the SCSI error handling (EH) contract by returning SUCCESS without draining in-flight commands. This causes the SCSI EH layer to reuse scsi_cmnd structures while the target core still has asynchronous completion work queued for the old se_cmd. The result is a leaked LUN reference that prevents transport_clear_lun_ref() from completing, hanging configfs LUN unlink operations indefinitely in D-state. The vulnerability is tracked under CWE-772: Missing Release of Resource after Effective Lifetime.
Critical Impact
Local low-privilege users can trigger a kernel resource leak that hangs LUN unlink operations and degrades system availability through unkillable D-state processes.
Affected Products
- Linux Kernel (multiple stable branches)
- Linux Kernel 7.0 release candidates (rc1 through rc5)
- Distributions shipping the tcm_loop SCSI target module
Discovery Timeline
- 2026-05-01 - CVE-2026-43054 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-43054
Vulnerability Analysis
The vulnerability resides in the tcm_loop SCSI low-level driver (LLD), which provides a virtual SCSI host backed by the LIO target core. According to scsi_eh.rst, when a reset handler returns SUCCESS, the driver must guarantee that lower layers have forgotten about timed-out SCSI commands. Other LLDs such as virtio_scsi, mpt3sas, ipr, scsi_debug, and mpi3mr enforce this contract by draining or completing outstanding commands before signaling success.
The tcm_loop_target_reset() function returns SUCCESS without performing this drain step. This breaks the synchronization expectation between the SCSI midlayer and the target core, leaving asynchronous completion work pending against se_cmd structures that the SCSI EH then recycles for recovery commands like Test Unit Ready (TUR).
Root Cause
The root cause is a missing drain operation in the target reset handler. When the SCSI EH issues a target reset and proceeds to reuse the in-flight scsi_cmnd, the memset in queuecommand zeroes se_lun and lun_ref_active. As a consequence, transport_lun_remove_cmd() skips its percpu_ref_put(), leaking the LUN reference. The leaked reference prevents transport_clear_lun_ref() from ever completing, causing core_tpg_remove_lun() and the configfs_unlink path to block indefinitely.
Attack Vector
Exploitation requires local access with low privileges sufficient to interact with the LIO/configfs interface or to trigger SCSI error handling on a tcm_loop target. A local user able to drive the SCSI EH path on a vulnerable target can induce the reference leak, producing tasks blocked in D-state and a loss of availability for storage management operations. The vulnerability does not impact confidentiality or integrity. Exploitation does not yield code execution; the realized impact is denial of service against the storage stack.
The upstream fix introduces two drain steps: issuing TMR_LUN_RESET via tcm_loop_issue_tmr() to drain commands the target core tracks, then using blk_mq_tagset_busy_iter() with flush_work() on each se_cmd to drain deferred completion work for commands already marked CMD_T_COMPLETE.
Detection Methods for CVE-2026-43054
Indicators of Compromise
- Kernel log entries reporting INFO: task <name>:<pid> blocked for more than 122 seconds with transport_clear_lun_ref in the stack trace.
- Processes performing rm or configfs unlink operations stuck in uninterruptible sleep (D-state).
- Stack traces containing core_tpg_remove_lun, target_fabric_port_unlink, and configfs_unlink that fail to complete.
Detection Strategies
- Monitor /var/log/messages and dmesg for hung task warnings referencing the target_core_mod module.
- Track running kernel versions across the fleet and flag hosts using tcm_loop with kernels predating the patch commits.
- Audit which systems load the tcm_loop module, because only hosts running LIO with the loopback fabric are exposed.
Monitoring Recommendations
- Enable hung_task_timeout_secs alerting and forward kernel hung-task events to the SIEM for correlation.
- Watch for sustained increases in processes in D-state on storage-serving hosts.
- Track configfs operations that fail to terminate, particularly LUN removal calls from orchestration tooling.
How to Mitigate CVE-2026-43054
Immediate Actions Required
- Apply the upstream stable patches referenced by the kernel maintainers as soon as vendor builds are available.
- Inventory all hosts loading the tcm_loop module and prioritize patching those exposing LIO targets.
- Restrict local access and configfs permissions on storage hosts to trusted administrators only.
Patch Information
The fix is distributed across multiple stable branches. Apply your distribution's kernel update containing one of the following commits: 05ac3754, 103f79e4, 1333eee5, 15f5241d, 757c43c6, 7cbd69aa, or a836054e. The patch makes tcm_loop_target_reset() drain commands using TMR_LUN_RESET and blk_mq_tagset_busy_iter() plus flush_work().
Workarounds
- Unload the tcm_loop module on systems that do not require LIO loopback functionality using modprobe -r tcm_loop.
- Blacklist tcm_loop in /etc/modprobe.d/ where the loopback fabric is unused.
- Limit access to /sys/kernel/config/target/ and related configfs paths to privileged administrators only.
# Configuration example: blacklist tcm_loop where unused
echo "blacklist tcm_loop" | sudo tee /etc/modprobe.d/blacklist-tcm_loop.conf
sudo modprobe -r tcm_loop
# Verify the module is no longer loaded
lsmod | grep tcm_loop
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
