CVE-2026-23292
Received Received - Intake
Recursive Locking Vulnerability in Linux Kernel SCSI Target Component

Publication date: 2026-03-25

Last updated on: 2026-03-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: scsi: target: Fix recursive locking in __configfs_open_file() In flush_write_buffer, &p->frag_sem is acquired and then the loaded store function is called, which, here, is target_core_item_dbroot_store(). This function called filp_open(), following which these functions were called (in reverse order), according to the call trace: down_read __configfs_open_file do_dentry_open vfs_open do_open path_openat do_filp_open file_open_name filp_open target_core_item_dbroot_store flush_write_buffer configfs_write_iter target_core_item_dbroot_store() tries to validate the new file path by trying to open the file path provided to it; however, in this case, the bug report shows: db_root: not a directory: /sys/kernel/config/target/dbroot indicating that the same configfs file was tried to be opened, on which it is currently working on. Thus, it is trying to acquire frag_sem semaphore of the same file of which it already holds the semaphore obtained in flush_write_buffer(), leading to acquiring the semaphore in a nested manner and a possibility of recursive locking. Fix this by modifying target_core_item_dbroot_store() to use kern_path() instead of filp_open() to avoid opening the file using filesystem-specific function __configfs_open_file(), and further modifying it to make this fix compatible.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-03-25
Generated
2026-05-07
AI Q&A
2026-03-25
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23292
EUVD
EUVD-2026-15221
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's SCSI target code, specifically in the function __configfs_open_file(). The issue arises due to recursive locking of a semaphore called frag_sem. During the execution of flush_write_buffer, the frag_sem semaphore is acquired, and then the function target_core_item_dbroot_store() is called. This function attempts to open a file path using filp_open(), but it ends up trying to open the same configfs file it is already working on. This causes the semaphore frag_sem to be acquired again in a nested manner, leading to recursive locking.

The fix involves changing target_core_item_dbroot_store() to use kern_path() instead of filp_open(), avoiding the use of the filesystem-specific __configfs_open_file() function and thus preventing the recursive locking scenario.


How can this vulnerability impact me? :

This vulnerability can lead to recursive locking of a semaphore within the Linux kernel's SCSI target code. Recursive locking can cause deadlocks or system instability, potentially leading to kernel hangs or crashes. Such behavior can disrupt normal system operations, affecting availability and reliability.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by modifying the Linux kernel code, specifically by changing target_core_item_dbroot_store() to use kern_path() instead of filp_open() to avoid recursive locking.

Therefore, the immediate step to mitigate this vulnerability is to update your Linux kernel to a version that includes this fix.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart