CVE-2026-45981 Overview
CVE-2026-45981 is a Linux kernel vulnerability in the s390 channel I/O (cio) subsystem. The flaw resides in css_alloc_subchannel(), which mishandles device lifecycle reference counting after device_initialize() is called. When dma_set_coherent_mask() or dma_set_mask() fails, the error path frees the subchannel structure with kfree() directly, bypassing the device model release callback. This can result in use-after-free or double-free conditions on IBM Z (s390) systems. Linux kernel maintainers have committed fixes that replace the direct kfree() with put_device() to ensure correct reference-counted release.
Critical Impact
Improper device reference handling in the s390/cio subchannel allocation path can trigger use-after-free or double-free conditions in the Linux kernel.
Affected Products
- Linux kernel s390/cio subsystem (css_alloc_subchannel() in drivers/s390/cio/css.c)
- IBM Z (s390x) architecture builds of the Linux kernel
- Multiple stable kernel branches as referenced in upstream commits
Discovery Timeline
- 2026-05-27 - CVE-2026-45981 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-45981
Vulnerability Analysis
The vulnerability lies in the Common I/O (CIO) subchannel allocation logic for the s390 architecture. The function css_alloc_subchannel() invokes device_initialize() on the embedded struct device early in the allocation flow. After initialization, the function attempts to configure Direct Memory Access (DMA) masks via dma_set_coherent_mask() and dma_set_mask().
When either DMA mask call fails, the original error path frees the containing subchannel structure directly with kfree(). This violates the Linux device model contract: once device_initialize() has been called, the embedded device is reference-counted and must be released through put_device(), which triggers the registered release callback.
Root Cause
The root cause is improper device lifecycle handling in an error path. The kernel device model requires that any struct device that has been initialized via device_initialize() is released by dropping its reference with put_device(). Calling kfree() directly leaves dangling references and prevents the release callback from running, creating conditions for use-after-free or double-free behavior when other kernel subsystems still hold or later access references to the device.
Attack Vector
The defect is reachable through the subchannel allocation path during s390 CIO initialization or hot-plug events. Triggering the error branch requires a failure in DMA mask configuration on s390 hardware or virtualized s390 environments. Successful exploitation would require local access to a vulnerable s390 system and the ability to induce DMA configuration failure. The likely consequences are kernel memory corruption, denial of service via kernel panic, or potential privilege escalation through targeted heap manipulation.
No verified proof-of-concept code is available. See the upstream fix in Kernel Git Commit 2b2ad7a and related stable branch backports for the corrected error path.
Detection Methods for CVE-2026-45981
Indicators of Compromise
- Kernel oops, panic, or BUG reports referencing css_alloc_subchannel, device_initialize, or s390 CIO functions in dmesg and /var/log/kern.log
- KASAN reports flagging use-after-free or double-free on subchannel structures in s390 builds
- Unexpected I/O subsystem instability or subchannel registration failures on IBM Z systems
Detection Strategies
- Inventory Linux hosts to identify s390x kernels and compare running kernel versions against the patched stable releases referenced in the upstream commits
- Enable Kernel Address Sanitizer (KASAN) and slab debugging in test environments to surface use-after-free conditions in the CIO path
- Correlate kernel crash telemetry against the function signatures css_alloc_subchannel, dma_set_mask, and dma_set_coherent_mask
Monitoring Recommendations
- Forward kernel logs from s390 hosts to a centralized logging or SIEM platform and alert on kernel oops events referencing the CIO subsystem
- Monitor for repeated subchannel allocation failures, which may indicate the error path is being exercised
- Track package and kernel update status across the s390 fleet to confirm patch deployment
How to Mitigate CVE-2026-45981
Immediate Actions Required
- Identify all Linux s390x systems in the environment, including IBM Z hardware and z/VM or KVM guests
- Apply the upstream patch or vendor-provided kernel update that replaces the direct kfree() call in css_alloc_subchannel() with put_device()
- Reboot affected systems after patching to load the corrected kernel
- Prioritize hosts that experience frequent CIO initialization events or subchannel hot-plug activity
Patch Information
The fix replaces the direct kfree() in the error path of css_alloc_subchannel() with put_device(), ensuring the device release callback frees the container structure correctly. Patches have been merged across multiple stable branches. Reference commits include Kernel Git Commit 2b2ad7a, Kernel Git Commit 6715560, Kernel Git Commit abb6e07, Kernel Git Commit b1d4e6f, Kernel Git Commit c35cfbb, Kernel Git Commit f65c75b, Kernel Git Commit f96c5cc, and Kernel Git Commit fd295a7.
Workarounds
- No vendor-supplied workaround exists; patching the kernel is the supported remediation
- Restrict local access to s390 systems to trusted administrators to reduce the attack surface until patches are applied
- Avoid loading or hot-plugging CIO devices on unpatched systems where DMA mask configuration is known to fail
# Verify running kernel version on s390 systems
uname -r -m
# Example: apply distribution kernel update and reboot
# Red Hat / SUSE family
sudo zypper refresh && sudo zypper update kernel-default
# or
sudo dnf update kernel
sudo systemctl reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
