CVE-2026-46031
Awaiting Analysis Awaiting Analysis - Queue
Deadlock in Linux Kernel ks8851 Driver

Publication date: 2026-05-27

Last updated on: 2026-06-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: ks8851: Reinstate disabling of BHs around IRQ handler If the driver executes ks8851_irq() AND a TX packet has been sent, then the driver enables TX queue via netif_wake_queue() which schedules TX softirq to queue packets for this device. If CONFIG_PREEMPT_RT=y is set AND a packet has also been received by the MAC, then ks8851_rx_pkts() calls netdev_alloc_skb_ip_align() to allocate SKBs for the received packets. If netdev_alloc_skb_ip_align() is called with BH enabled, then local_bh_enable() at the end of netdev_alloc_skb_ip_align() will trigger the pending softirq processing, which may ultimately call the .xmit callback ks8851_start_xmit_par(). The ks8851_start_xmit_par() will try to lock struct ks8851_net_par .lock spinlock, which is already locked by ks8851_irq() from which ks8851_start_xmit_par() was called. This leads to a deadlock, which is reported by the kernel, including a trace listed below. If CONFIG_PREEMPT_RT is not set, then since commit 0913ec336a6c0 ("net: ks8851: Fix deadlock with the SPI chip variant") the deadlock can also be triggered without received packet in the RX FIFO. The pending softirqs will be processed on return from spin_unlock_bh(&ks->statelock) in ks8851_irq(), which triggers the deadlock as well. Fix the problem by disabling BH around critical sections, including the IRQ handler, thus preventing the net_tx_action() softirq from triggering during these critical sections. The net_tx_action() softirq is triggered once BH are re-enabled and at the end of the IRQ handler, once all the other IRQ handler actions have been completed. __schedule from schedule_rtlock+0x1c/0x34 schedule_rtlock from rtlock_slowlock_locked+0x548/0x904 rtlock_slowlock_locked from rt_spin_lock+0x60/0x9c rt_spin_lock from ks8851_start_xmit_par+0x74/0x1a8 ks8851_start_xmit_par from netdev_start_xmit+0x20/0x44 netdev_start_xmit from dev_hard_start_xmit+0xd0/0x188 dev_hard_start_xmit from sch_direct_xmit+0xb8/0x25c sch_direct_xmit from __qdisc_run+0x1f8/0x4ec __qdisc_run from qdisc_run+0x1c/0x28 qdisc_run from net_tx_action+0x1f0/0x268 net_tx_action from handle_softirqs+0x1a4/0x270 handle_softirqs from __local_bh_enable_ip+0xcc/0xe0 __local_bh_enable_ip from __alloc_skb+0xd8/0x128 __alloc_skb from __netdev_alloc_skb+0x3c/0x19c __netdev_alloc_skb from ks8851_irq+0x388/0x4d4 ks8851_irq from irq_thread_fn+0x24/0x64 irq_thread_fn from irq_thread+0x178/0x28c irq_thread from kthread+0x12c/0x138 kthread from ret_from_fork+0x14/0x28
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-46031
EUVD
EUVD-2026-32412
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.8.10 (inc) to 6.9 (exc)
linux linux_kernel 6.9
linux linux_kernel From 6.13 (inc) to 6.18.27 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.4 (exc)
linux linux_kernel From 6.1.91 (inc) to 6.1.175 (exc)
linux linux_kernel From 6.6.31 (inc) to 6.6.140 (exc)
linux linux_kernel From 6.9.1 (inc) to 6.12.86 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-667 The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not include any details about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability exists in the Linux kernel's ks8851 network driver. It involves a deadlock situation triggered when the driver handles transmit (TX) and receive (RX) packets simultaneously under certain configurations, specifically when CONFIG_PREEMPT_RT=y is set. The issue arises because the driver enables the TX queue which schedules a TX softirq, and if a packet is received at the same time, the allocation of socket buffers (SKBs) with bottom halves (BH) enabled triggers softirq processing. This processing attempts to acquire a spinlock already held by the IRQ handler, causing a deadlock.

The problem is fixed by disabling bottom halves (BH) around critical sections, including the IRQ handler, to prevent the TX softirq from triggering during these critical sections. This ensures that softirq processing only happens after the IRQ handler completes, avoiding the deadlock.

Impact Analysis

This vulnerability can cause a deadlock in the Linux kernel's network driver, which may lead to system instability or a hang when transmitting and receiving network packets simultaneously. This can disrupt network communication, degrade system performance, or cause the affected system to become unresponsive until rebooted or the issue is resolved.

Mitigation Strategies

The vulnerability is fixed by disabling bottom halves (BH) around critical sections, including the IRQ handler, to prevent the net_tx_action() softirq from triggering during these critical sections.

To mitigate this vulnerability immediately, ensure that your Linux kernel includes the patch that reinstates disabling of BHs around the IRQ handler in the ks8851 driver.

If you are running a kernel with CONFIG_PREEMPT_RT=y, verify that the fix is applied to avoid deadlocks caused by the ks8851 driver.

In general, updating your Linux kernel to a version that contains this fix is the recommended immediate mitigation step.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46031. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart