CVE-2026-46173
Received Received - Intake
Linux Kernel Task Dead Preemption Vulnerability

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: exit: prevent preemption of oopsing TASK_DEAD task When an already-exiting task oopses, make_task_dead() currently calls do_task_dead() with preemption enabled. That is forbidden: do_task_dead() calls __schedule(), which has a comment saying "WARNING: must be called with preemption disabled!". If an oopsing task is preempted in do_task_dead(), between becoming TASK_DEAD and entering the scheduler explicitly, bad things happen: finish_task_switch() assumes that once the scheduler has switched away from a TASK_DEAD task, the task can never run again and its stack is no longer needed; but that assumption apparently doesn't hold if the dead task was preempted (the SM_PREEMPT case). This means that the scheduler ends up repeatedly dropping references on the dead task's stack, which can lead to use-after-free or double-free of the entire task stack; in other words, two tasks can end up running on the same stack, resulting in various kinds of memory corruption. (This does not just affect "recursively oopsing" tasks; it is enough to oops once during task exit, for example in a file_operations::release handler)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-05-28
AI Q&A
2026-05-28
EPSS Evaluated
N/A
NVD
CVE-2026-46173
EUVD
EUVD-2026-32800
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in the Linux kernel when a task that is already exiting experiences an oops (a kernel error). During this process, the function make_task_dead() calls do_task_dead() with preemption enabled, which is not allowed because do_task_dead() calls __schedule(), a function that must be called with preemption disabled.

If the oopsing task is preempted while in do_task_dead(), between becoming TASK_DEAD and entering the scheduler, the scheduler's assumptions break down. Specifically, finish_task_switch() assumes that once a TASK_DEAD task is switched away from, it will never run again and its stack is no longer needed. However, if the dead task was preempted, this assumption fails.

As a result, the scheduler may repeatedly drop references on the dead task's stack, leading to use-after-free or double-free conditions of the task's stack memory. This can cause two tasks to run on the same stack, resulting in various kinds of memory corruption.

This issue can occur even if the task only oops once during exit, such as in a file_operations::release handler, and is not limited to recursively oopsing tasks.


How can this vulnerability impact me? :

This vulnerability can lead to memory corruption in the Linux kernel due to use-after-free or double-free of task stacks. Such memory corruption can cause system instability, crashes, or unpredictable behavior.

Because two tasks might end up running on the same stack, this can potentially be exploited to execute arbitrary code or cause denial of service, depending on the context and attacker capabilities.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart