CVE-2026-53124
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ublk: reset per-IO canceled flag on each fetch If a ublk server starts recovering devices but dies before issuing fetch commands for all IOs, cancellation of the fetch commands that were successfully issued may never complete. This is because the per-IO canceled flag can remain set even after the fetch for that IO has been submitted - the per-IO canceled flags for all IOs in a queue are reset together only once all IOs for that queue have been fetched. So if a nonempty proper subset of the IOs for a queue are fetched when the ublk server dies, the IOs in that subset will never successfully be canceled, as their canceled flags remain set, and this prevents ublk_cancel_cmd from actually calling io_uring_cmd_done on the commands, despite the fact that they are outstanding. Fix this by resetting the per-IO cancel flags immediately when each IO is fetched instead of waiting for all IOs for the queue (which may never happen).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53124
EUVD
EUVD-2026-38992
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's ublk subsystem. When a ublk server starts recovering devices but crashes before issuing fetch commands for all IO operations, some fetch commands that were successfully issued may never be properly canceled. This happens because the per-IO canceled flag remains set even after the fetch for that IO has been submitted. The flags for all IOs in a queue are only reset together once all IOs have been fetched. If only a subset of IOs are fetched before the server dies, those IOs will never be successfully canceled, preventing the cancellation function from completing properly.

The fix involves resetting the per-IO canceled flags immediately when each IO is fetched, rather than waiting for all IOs in the queue to be fetched, which may never happen if the server crashes.

Impact Analysis

This vulnerability can lead to IO commands remaining outstanding and not being properly canceled if the ublk server crashes during device recovery. This could cause resource leaks or inconsistent IO states, potentially impacting system stability or performance related to block device operations.

Mitigation Strategies

The vulnerability is resolved by a fix in the Linux kernel that resets the per-IO cancel flags immediately when each IO is fetched, instead of waiting for all IOs for the queue. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53124. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart