CVE-2026-46025
Analyzed Analyzed - Analysis Complete
Race Condition in Linux Kernel DAMON Core

Publication date: 2026-05-27

Last updated on: 2026-06-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: fix damon_call() vs kdamond_fn() exit race Patch series "mm/damon/core: fix damon_call()/damos_walk() vs kdmond exit race". damon_call() and damos_walk() can leak memory and/or deadlock when they race with kdamond terminations. Fix those. This patch (of 2); When kdamond_fn() main loop is finished, the function cancels all remaining damon_call() requests and unset the damon_ctx->kdamond so that API callers and API functions themselves can know the context is terminated. damon_call() adds the caller's request to the queue first. After that, it shows if the kdamond of the damon_ctx is still running (damon_ctx->kdamond is set). Only if the kdamond is running, damon_call() starts waiting for the kdamond's handling of the newly added request. The damon_call() requests registration and damon_ctx->kdamond unset are protected by different mutexes, though. Hence, damon_call() could race with damon_ctx->kdamond unset, and result in deadlocks. For example, let's suppose kdamond successfully finished the damon_call() requests cancelling. Right after that, damon_call() is called for the context. It registers the new request, and shows the context is still running, because damon_ctx->kdamond unset is not yet done. Hence the damon_call() caller starts waiting for the handling of the request. However, the kdamond is already on the termination steps, so it never handles the new request. As a result, the damon_call() caller threads infinitely waits. Fix this by introducing another damon_ctx field, namely call_controls_obsolete. It is protected by the damon_ctx->call_controls_lock, which protects damon_call() requests registration. Initialize (unset) it in kdamond_fn() before letting damon_start() returns and set it just before the cancelling of remaining damon_call() requests is executed. damon_call() reads the obsolete field under the lock and avoids adding a new request. After this change, only requests that are guaranteed to be handled or cancelled are registered. Hence the after-registration DAMON context termination check is no longer needed. Remove it together. Note that the deadlock will not happen when damon_call() is called for repeat mode request. In tis case, damon_call() returns instead of waiting for the handling when the request registration succeeds and it shows the kdamond is running. However, if the request also has dealloc_on_cancel, the request memory would be leaked. The issue is found by sashiko [1].
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-46025
EUVD
EUVD-2026-32406
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.19 (inc) to 7.0.4 (exc)
linux linux_kernel From 6.14 (inc) to 6.18.27 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability is fixed by a patch in the Linux kernel that addresses a race condition and potential deadlock in the damon_call() and kdamond_fn() functions. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this patch.

Specifically, ensure your system is running a kernel version released after 2026-05-27 that contains the fix for the damon_call() vs kdamond_fn() exit race condition.

Executive Summary

This vulnerability exists in the Linux kernel's memory management subsystem, specifically in the damon (Data Access MONitor) core. It involves a race condition between the functions damon_call() and kdamond_fn() during the termination of the kdamond process.

The problem occurs because damon_call() registers requests and checks if the kdamond process is still running using different mutexes. This can lead to a situation where damon_call() believes kdamond is still active and waits indefinitely for a request to be handled, but kdamond is actually terminating and will never process the request. This causes deadlocks or memory leaks.

The fix introduces a new field, call_controls_obsolete, protected by a mutex, to prevent damon_call() from adding new requests once the context is terminating, thus avoiding deadlocks and leaks.

Impact Analysis

This vulnerability can cause deadlocks or memory leaks in the Linux kernel's damon subsystem. Specifically, processes calling damon_call() may hang indefinitely waiting for a response that will never come, leading to system instability or degraded performance.

Memory leaks caused by this issue can increase resource consumption over time, potentially leading to exhaustion of memory resources and impacting system reliability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46025. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart