CVE-2026-23368
Received Received - Intake
AB-BA Deadlock in Linux Kernel PHY LED Trigger Registration

Publication date: 2026-03-25

Last updated on: 2026-04-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: phy: register phy led_triggers during probe to avoid AB-BA deadlock There is an AB-BA deadlock when both LEDS_TRIGGER_NETDEV and LED_TRIGGER_PHY are enabled: [ 1362.049207] [<8054e4b8>] led_trigger_register+0x5c/0x1fc <-- Trying to get lock "triggers_list_lock" via down_write(&triggers_list_lock); [ 1362.054536] [<80662830>] phy_led_triggers_register+0xd0/0x234 [ 1362.060329] [<8065e200>] phy_attach_direct+0x33c/0x40c [ 1362.065489] [<80651fc4>] phylink_fwnode_phy_connect+0x15c/0x23c [ 1362.071480] [<8066ee18>] mtk_open+0x7c/0xba0 [ 1362.075849] [<806d714c>] __dev_open+0x280/0x2b0 [ 1362.080384] [<806d7668>] __dev_change_flags+0x244/0x24c [ 1362.085598] [<806d7698>] dev_change_flags+0x28/0x78 [ 1362.090528] [<807150e4>] dev_ioctl+0x4c0/0x654 <-- Hold lock "rtnl_mutex" by calling rtnl_lock(); [ 1362.094985] [<80694360>] sock_ioctl+0x2f4/0x4e0 [ 1362.099567] [<802e9c4c>] sys_ioctl+0x32c/0xd8c [ 1362.104022] [<80014504>] syscall_common+0x34/0x58 Here LED_TRIGGER_PHY is registering LED triggers during phy_attach while holding RTNL and then taking triggers_list_lock. [ 1362.191101] [<806c2640>] register_netdevice_notifier+0x60/0x168 <-- Trying to get lock "rtnl_mutex" via rtnl_lock(); [ 1362.197073] [<805504ac>] netdev_trig_activate+0x194/0x1e4 [ 1362.202490] [<8054e28c>] led_trigger_set+0x1d4/0x360 <-- Hold lock "triggers_list_lock" by down_read(&triggers_list_lock); [ 1362.207511] [<8054eb38>] led_trigger_write+0xd8/0x14c [ 1362.212566] [<80381d98>] sysfs_kf_bin_write+0x80/0xbc [ 1362.217688] [<8037fcd8>] kernfs_fop_write_iter+0x17c/0x28c [ 1362.223174] [<802cbd70>] vfs_write+0x21c/0x3c4 [ 1362.227712] [<802cc0c4>] ksys_write+0x78/0x12c [ 1362.232164] [<80014504>] syscall_common+0x34/0x58 Here LEDS_TRIGGER_NETDEV is being enabled on an LED. It first takes triggers_list_lock and then RTNL. A classical AB-BA deadlock. phy_led_triggers_registers() does not require the RTNL, it does not make any calls into the network stack which require protection. There is also no requirement the PHY has been attached to a MAC, the triggers only make use of phydev state. This allows the call to phy_led_triggers_registers() to be placed elsewhere. PHY probe() and release() don't hold RTNL, so solving the AB-BA deadlock.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-24
Generated
2026-05-07
AI Q&A
2026-03-25
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23368
EUVD
EUVD-2026-15351
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
linux linux_kernel 4.16
linux linux_kernel From 6.19 (inc) to 6.19.7 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.17 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.78 (exc)
linux linux_kernel From 4.16.1 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-667 The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is an AB-BA deadlock in the Linux kernel related to LED trigger registration. It occurs when both LEDS_TRIGGER_NETDEV and LED_TRIGGER_PHY are enabled simultaneously.

The deadlock happens because LED_TRIGGER_PHY registers LED triggers during the PHY attach process while holding the RTNL lock and then tries to acquire the triggers_list_lock. Meanwhile, LEDS_TRIGGER_NETDEV takes the triggers_list_lock first and then tries to acquire the RTNL lock, creating a circular lock dependency (AB-BA deadlock).

The root cause is that phy_led_triggers_register() unnecessarily holds the RTNL lock even though it does not require it, as it does not make calls into the network stack that need protection. The fix involves registering the PHY LED triggers during the PHY probe phase, which does not hold the RTNL lock, thus avoiding the deadlock.


How can this vulnerability impact me? :

This vulnerability can cause a deadlock in the Linux kernel when both LEDS_TRIGGER_NETDEV and LED_TRIGGER_PHY are enabled. A deadlock means that certain kernel operations involving LED triggers and network device locks can freeze, potentially causing system hangs or unresponsiveness.

Such a deadlock can impact system stability and availability, especially in environments relying on these LED triggers for network device status indication or management.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability manifests as an AB-BA deadlock involving LED triggers in the Linux kernel. It can be detected by observing kernel logs for deadlock messages related to led_trigger_register, phy_led_triggers_register, and network device locking (rtnl_mutex).

You can check your system logs (e.g., using dmesg or journalctl) for deadlock traces similar to the following pattern:

  • dmesg | grep -i 'led_trigger_register'
  • dmesg | grep -i 'phy_led_triggers_register'
  • dmesg | grep -i 'rtnl_mutex'

These commands help identify if the AB-BA deadlock described is occurring by searching for relevant kernel stack traces and lock contention messages.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is resolved by changing the registration of phy LED triggers to occur during the PHY probe phase, avoiding holding the RTNL lock while registering LED triggers. Immediate mitigation involves updating the Linux kernel to a version where this fix is applied.

Since the issue arises from the order of acquiring locks (RTNL and triggers_list_lock), avoiding enabling both LEDS_TRIGGER_NETDEV and LED_TRIGGER_PHY simultaneously can reduce the risk until a patch is applied.

In summary, the recommended immediate steps are:

  • Update the Linux kernel to a version that includes the fix for this deadlock.
  • Avoid enabling both LEDS_TRIGGER_NETDEV and LED_TRIGGER_PHY triggers at the same time on your devices.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart