CVE-2026-23356
Received Received - Intake
Logic Bug in Linux DRBD Activity Log Causes Potential Crash

Publication date: 2026-03-25

Last updated on: 2026-04-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock() Even though we check that we "should" be able to do lc_get_cumulative() while holding the device->al_lock spinlock, it may still fail, if some other code path decided to do lc_try_lock() with bad timing. If that happened, we logged "LOGIC BUG for enr=...", but still did not return an error. The rest of the code now assumed that this request has references for the relevant activity log extents. The implcations are that during an active resync, mutual exclusivity of resync versus application IO is not guaranteed. And a potential crash at this point may not realizs that these extents could have been target of in-flight IO and would need to be resynced just in case. Also, once the request completes, it will give up activity log references it does not even hold, which will trigger a BUG_ON(refcnt == 0) in lc_put(). Fix: Do not crash the kernel for a condition that is harmless during normal operation: also catch "e->refcnt == 0", not only "e == NULL" when being noisy about "al_complete_io() called on inactive extent %u\n". And do not try to be smart and "guess" whether something will work, then be surprised when it does not. Deal with the fact that it may or may not work. If it does not, remember a possible "partially in activity log" state (only possible for requests that cross extent boundaries), and return an error code from drbd_al_begin_io_nonblock(). A latter call for the same request will then resume from where we left off.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-24
Generated
2026-05-07
AI Q&A
2026-03-25
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23356
EUVD
EUVD-2026-15331
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
linux linux_kernel 3.10
linux linux_kernel From 6.19 (inc) to 6.19.7 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.17 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.77 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 3.10.1 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a logic bug in the Linux kernel's drbd component, specifically in the function drbd_al_begin_io_nonblock(). The issue arises because even though the code checks if it should be able to perform lc_get_cumulative() while holding a spinlock, it can still fail due to timing conflicts with another code path using lc_try_lock().

When this failure occurs, the system logs a "LOGIC BUG" message but does not return an error, leading the rest of the code to incorrectly assume that the request has valid references for the relevant activity log extents. This can cause problems during an active resync, where mutual exclusivity between resync and application IO is not guaranteed, potentially leading to crashes or inconsistent states.

Additionally, after the request completes, it may release activity log references it does not hold, triggering a kernel bug (BUG_ON) due to a zero reference count.

The fix involves handling the condition more gracefully by catching cases where the reference count is zero and returning an error code instead of assuming success. This allows the system to properly handle partial states and resume operations correctly.


How can this vulnerability impact me? :

This vulnerability can impact system stability and data integrity during active resync operations in the drbd component of the Linux kernel.

Because mutual exclusivity between resync and application IO is not guaranteed, there is a risk of kernel crashes or inconsistent data states if in-flight IO targets extents that are being resynced.

Furthermore, the bug can cause the kernel to crash due to improper handling of activity log references, which may lead to system downtime or data loss.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved by fixing the logic bug in the drbd_al_begin_io_nonblock() function in the Linux kernel. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

The fix ensures that the kernel does not crash due to harmless conditions during normal operation and properly handles error codes when activity log references are partially held. Applying the updated kernel will prevent potential crashes and data inconsistencies during active resync operations.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart