CVE-2026-45955 Overview
CVE-2026-45955 is a resource management vulnerability in the Linux kernel's md-llbitmap subsystem, used by the multiple device (MD) RAID infrastructure. The flaw resides in llbitmap_suspend_timeout(), which fails to resurrect a percpu_ref reference counter when a suspend operation times out. The caller md_llbitmap_daemon_fn then advances to the next page without invoking llbitmap_resume(), leaving the percpu_ref permanently in a killed state. This renders the affected page control structure unusable for subsequent bitmap operations.
Critical Impact
The defect can permanently disable bitmap page control structures inside the MD RAID layer, leading to degraded RAID bitmap functionality and potential denial of service on storage subsystems relying on md-llbitmap.
Affected Products
- Linux kernel versions containing the md-llbitmap implementation
- Storage stacks using MD RAID with the low-latency bitmap (llbitmap) feature
- Distributions shipping the affected kernel commits prior to patches 095417d6b669, 2446d0993501, and d119bd2e1643
Discovery Timeline
- 2026-05-27 - CVE-2026-45955 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-45955
Vulnerability Analysis
The defect lives in the Linux kernel's md/md-llbitmap module, which provides a low-latency bitmap implementation for the MD RAID subsystem. The llbitmap_suspend_timeout() function uses a percpu_ref counter to coordinate suspension of bitmap pages while waiting for outstanding operations to drain. When the wait succeeds, the page is resumed through llbitmap_resume(), which resurrects the percpu_ref. When the wait times out, the function returns -ETIMEDOUT to its caller. The caller, md_llbitmap_daemon_fn, treats the timeout as a recoverable per-page error and proceeds to the next page without invoking the resume path.
Root Cause
The root cause is a missing cleanup step on the error path of llbitmap_suspend_timeout(). The percpu_ref is killed via percpu_ref_kill() to begin the suspend sequence, but no compensating percpu_ref_resurrect() call occurs before returning the timeout error. Because the resume routine is skipped by the caller, the reference counter remains in a killed state indefinitely. Subsequent attempts to acquire references on the affected page fail, breaking the bitmap page control structure for the remainder of the array's lifetime.
Attack Vector
The condition is reachable through normal MD RAID workloads that trigger bitmap suspend operations under contention or I/O pressure sufficient to exceed the suspend timeout. A local user generating sustained storage activity against an MD array configured with llbitmap can drive the timeout path and progressively disable bitmap pages. The published advisory does not document remote exploitation or privilege escalation primitives. The upstream fix resurrects the percpu_ref before returning the error, restoring the page control structure to a usable state.
The vulnerability is described in prose only because no verified proof-of-concept code is published. Review the upstream commits at Kernel Git Commit 095417d6b669, Kernel Git Commit 2446d0993501, and Kernel Git Commit d119bd2e1643 for the authoritative patch content.
Detection Methods for CVE-2026-45955
Indicators of Compromise
- Kernel log messages from the md subsystem referencing llbitmap_suspend_timeout returning -ETIMEDOUT.
- Persistent failures of bitmap operations on MD RAID arrays after an observed suspend timeout event.
- MD daemon threads (md_llbitmap_daemon_fn) advancing through pages while bitmap state appears stuck.
Detection Strategies
- Monitor dmesg and /var/log/messages for repeated md-llbitmap warnings or stalled bitmap activity following a timeout.
- Compare running kernel versions against distribution advisories that incorporate the upstream patches referenced above.
- Audit MD array configurations to identify systems using llbitmap and prioritize them for patch verification.
Monitoring Recommendations
- Forward kernel logs to a centralized logging or SIEM platform and alert on md, llbitmap, and percpu_ref keywords.
- Track RAID health metrics (/proc/mdstat, mdadm --detail) for anomalies after periods of heavy I/O.
- Establish baselines for bitmap operation latency to detect degradation indicative of stuck page control structures.
How to Mitigate CVE-2026-45955
Immediate Actions Required
- Apply the upstream kernel patches that resurrect the percpu_ref before returning -ETIMEDOUT from llbitmap_suspend_timeout().
- Update to a distribution kernel that includes commits 095417d6b669, 2446d0993501, or d119bd2e1643 as backported by your vendor.
- Reboot affected hosts after patch installation so the corrected md-llbitmap module is loaded.
Patch Information
The fix is published in the mainline Linux kernel and stable trees through the following commits: Kernel Git Commit 095417d6b669, Kernel Git Commit 2446d0993501, and Kernel Git Commit d119bd2e1643. The patch ensures percpu_ref_resurrect() runs on the timeout error path, restoring the bitmap page control structure for subsequent operations.
Workarounds
- Where patching is delayed, consider migrating MD RAID arrays off the llbitmap feature to the legacy bitmap implementation until the corrected kernel is deployed.
- Reduce sustained I/O pressure on affected arrays to lower the likelihood of triggering the suspend timeout path.
- Schedule controlled restarts of affected systems to clear any bitmap pages already stuck in a killed percpu_ref state.
# Verify whether the running kernel contains the fix
uname -r
grep -E 'llbitmap|md-llbitmap' /proc/kallsyms | head
# Inspect MD arrays and bitmap configuration
cat /proc/mdstat
mdadm --detail /dev/md0 | grep -i bitmap
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
