CVE-2026-46050
Analyzed Analyzed - Analysis Complete
Deadlock in Linux Kernel RAID10 with NOWAIT Requests

Publication date: 2026-05-27

Last updated on: 2026-06-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: md/raid10: fix deadlock with check operation and nowait requests When an array check is running it will raise the barrier at which point normal requests will become blocked and increment the nr_pending value to signal there is work pending inside of wait_barrier(). NOWAIT requests do not block and so will return immediately with an error, and additionally do not increment nr_pending in wait_barrier(). Upstream change commit 43806c3d5b9b ("raid10: cleanup memleak at raid10_make_request") added a call to raid_end_bio_io() to fix a memory leak when NOWAIT requests hit this condition. raid_end_bio_io() eventually calls allow_barrier() and it will unconditionally do an atomic_dec_and_test(&conf->nr_pending) even though the corresponding increment on nr_pending didn't happen in the NOWAIT case. This can be easily seen by starting a check operation while an application is doing nowait IO on the same array. This results in a deadlocked state due to nr_pending value underflowing and so the md resync thread gets stuck waiting for nr_pending to == 0. Output of r10conf state of the array when we hit this condition: crash> struct r10conf barrier = 1, nr_pending = { counter = -41 }, nr_waiting = 15, nr_queued = 0, Example of md_sync thread stuck waiting on raise_barrier() and other requests stuck in wait_barrier(): md1_resync [<0>] raise_barrier+0xce/0x1c0 [<0>] raid10_sync_request+0x1ca/0x1ed0 [<0>] md_do_sync+0x779/0x1110 [<0>] md_thread+0x90/0x160 [<0>] kthread+0xbe/0xf0 [<0>] ret_from_fork+0x34/0x50 [<0>] ret_from_fork_asm+0x1a/0x30 kworker/u1040:2+flush-253:4 [<0>] wait_barrier+0x1de/0x220 [<0>] regular_request_wait+0x30/0x180 [<0>] raid10_make_request+0x261/0x1000 [<0>] md_handle_request+0x13b/0x230 [<0>] __submit_bio+0x107/0x1f0 [<0>] submit_bio_noacct_nocheck+0x16f/0x390 [<0>] ext4_io_submit+0x24/0x40 [<0>] ext4_do_writepages+0x254/0xc80 [<0>] ext4_writepages+0x84/0x120 [<0>] do_writepages+0x7a/0x260 [<0>] __writeback_single_inode+0x3d/0x300 [<0>] writeback_sb_inodes+0x1dd/0x470 [<0>] __writeback_inodes_wb+0x4c/0xe0 [<0>] wb_writeback+0x18b/0x2d0 [<0>] wb_workfn+0x2a1/0x400 [<0>] process_one_work+0x149/0x330 [<0>] worker_thread+0x2d2/0x410 [<0>] kthread+0xbe/0xf0 [<0>] ret_from_fork+0x34/0x50 [<0>] ret_from_fork_asm+0x1a/0x30
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-46050
EUVD
EUVD-2026-32432
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.16
linux linux_kernel 6.16
linux linux_kernel 6.16
linux linux_kernel From 6.19 (inc) to 7.0.4 (exc)
linux linux_kernel From 5.15.189 (inc) to 5.15.209 (exc)
linux linux_kernel From 6.1.146 (inc) to 6.1.175 (exc)
linux linux_kernel From 6.12.39 (inc) to 6.12.86 (exc)
linux linux_kernel From 6.15.7 (inc) to 6.16 (exc)
linux linux_kernel From 6.16.1 (inc) to 6.18.27 (exc)
linux linux_kernel From 6.6.99 (inc) to 6.6.140 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-667 The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's md/raid10 subsystem. It involves a deadlock condition triggered when a RAID 10 array check operation runs concurrently with NOWAIT I/O requests. During the check, a barrier is raised that blocks normal requests and increments a counter (nr_pending) to indicate pending work. However, NOWAIT requests do not block and return immediately with an error without incrementing nr_pending. A recent code change added a call that decrements nr_pending unconditionally, even when it was never incremented for NOWAIT requests. This causes the nr_pending counter to underflow (go negative), leading to a deadlock where the md resync thread waits indefinitely for nr_pending to reach zero, causing the RAID 10 array to become stuck.

Impact Analysis

This vulnerability can cause a deadlock in the RAID 10 array management within the Linux kernel. Specifically, the md resync thread can become stuck waiting indefinitely, which means that array check operations and I/O requests can be blocked. This can lead to degraded system performance, unresponsive storage subsystems, and potential data availability issues while the RAID array is stuck in this deadlocked state.

Detection Guidance

This vulnerability can be detected by observing the md resync thread getting stuck and the nr_pending value underflowing during a RAID10 array check operation combined with NOWAIT IO requests.

You can check the state of the RAID10 array configuration (r10conf) for abnormal values such as a negative nr_pending counter, which indicates the deadlock condition.

Additionally, monitoring kernel threads related to md resync and md_sync for stack traces stuck in raise_barrier() or wait_barrier() functions can help identify the issue.

  • Use commands like `cat /proc/mdstat` to check RAID array status.
  • Use `dmesg` or `journalctl -k` to look for kernel logs indicating stuck md resync threads.
  • Use debugging tools like `crash` to inspect the r10conf structure and check the nr_pending counter.
Mitigation Strategies

Immediate mitigation involves avoiding running array check operations simultaneously with NOWAIT IO requests on the same RAID10 array, as this triggers the deadlock.

If the system is already affected, restarting the md resync thread or rebooting the system may temporarily resolve the deadlock.

Applying the upstream fix that corrects the handling of nr_pending in the raid10_make_request function will permanently resolve the issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46050. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart