CVE-2026-46173
Analyzed Analyzed - Analysis Complete
Linux Kernel Task Dead Preemption Vulnerability

Publication date: 2026-05-28

Last updated on: 2026-06-10

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: exit: prevent preemption of oopsing TASK_DEAD task When an already-exiting task oopses, make_task_dead() currently calls do_task_dead() with preemption enabled. That is forbidden: do_task_dead() calls __schedule(), which has a comment saying "WARNING: must be called with preemption disabled!". If an oopsing task is preempted in do_task_dead(), between becoming TASK_DEAD and entering the scheduler explicitly, bad things happen: finish_task_switch() assumes that once the scheduler has switched away from a TASK_DEAD task, the task can never run again and its stack is no longer needed; but that assumption apparently doesn't hold if the dead task was preempted (the SM_PREEMPT case). This means that the scheduler ends up repeatedly dropping references on the dead task's stack, which can lead to use-after-free or double-free of the entire task stack; in other words, two tasks can end up running on the same stack, resulting in various kinds of memory corruption. (This does not just affect "recursively oopsing" tasks; it is enough to oops once during task exit, for example in a file_operations::release handler)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-10
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-46173
EUVD
EUVD-2026-32800
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.13 (inc) to 6.18.30 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.7 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.88 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.140 (exc)
linux linux_kernel From 5.17 (inc) to 6.1.175 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in the Linux kernel when a task that is already exiting experiences an oops (a kernel error). During this process, the function make_task_dead() calls do_task_dead() with preemption enabled, which is not allowed because do_task_dead() calls __schedule(), a function that must be called with preemption disabled.

If the oopsing task is preempted while in do_task_dead(), between becoming TASK_DEAD and entering the scheduler, the scheduler's assumptions break down. Specifically, finish_task_switch() assumes that once a TASK_DEAD task is switched away from, it will never run again and its stack is no longer needed. However, if the dead task was preempted, this assumption fails.

As a result, the scheduler may repeatedly drop references on the dead task's stack, leading to use-after-free or double-free conditions of the task's stack memory. This can cause two tasks to run on the same stack, resulting in various kinds of memory corruption.

This issue can occur even if the task only oops once during exit, such as in a file_operations::release handler, and is not limited to recursively oopsing tasks.

Impact Analysis

This vulnerability can lead to memory corruption in the Linux kernel due to use-after-free or double-free of task stacks. Such memory corruption can cause system instability, crashes, or unpredictable behavior.

Because two tasks might end up running on the same stack, this can potentially be exploited to execute arbitrary code or cause denial of service, depending on the context and attacker capabilities.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46173. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart