CVE-2026-23047
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2026-02-04

Last updated on: 2026-02-04

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: libceph: make calc_target() set t->paused, not just clear it Currently calc_target() clears t->paused if the request shouldn't be paused anymore, but doesn't ever set t->paused even though it's able to determine when the request should be paused. Setting t->paused is left to __submit_request() which is fine for regular requests but doesn't work for linger requests -- since __submit_request() doesn't operate on linger requests, there is nowhere for lreq->t.paused to be set. One consequence of this is that watches don't get reestablished on paused -> unpaused transitions in cases where requests have been paused long enough for the (paused) unwatch request to time out and for the subsequent (re)watch request to enter the paused state. On top of the watch not getting reestablished, rbd_reregister_watch() gets stuck with rbd_dev->watch_mutex held: rbd_register_watch __rbd_register_watch ceph_osdc_watch linger_reg_commit_wait It's waiting for lreq->reg_commit_wait to be completed, but for that to happen the respective request needs to end up on need_resend_linger list and be kicked when requests are unpaused. There is no chance for that if the request in question is never marked paused in the first place. The fact that rbd_dev->watch_mutex remains taken out forever then prevents the image from getting unmapped -- "rbd unmap" would inevitably hang in D state on an attempt to grab the mutex.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-04
Last Modified
2026-02-04
Generated
2026-05-07
AI Q&A
2026-02-04
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23047
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's libceph component, specifically in the function calc_target(). The function currently clears the paused state (t->paused) of a request when it should no longer be paused, but it does not set the paused state when a request should be paused. This setting is only done in __submit_request(), which works for regular requests but not for linger requests.

Because linger requests never have their paused state set, watches do not get reestablished when transitioning from paused to unpaused states if the paused unwatch request times out and the subsequent rewatch request enters the paused state. This causes the function rbd_reregister_watch() to get stuck holding a mutex (rbd_dev->watch_mutex) indefinitely.

As a result, operations like 'rbd unmap' hang indefinitely because they cannot acquire the mutex, leading to a system state where resources remain locked and operations cannot complete.


How can this vulnerability impact me? :

This vulnerability can cause certain operations involving Ceph block devices to hang indefinitely. Specifically, the 'rbd unmap' command can get stuck waiting for a mutex that is never released due to the paused state not being properly set on linger requests.

This can lead to resource locking issues, where images cannot be unmapped and system processes remain in an uninterruptible sleep state (D state), potentially causing system instability or degraded performance.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart