CVE-2025-68336
Description
In the Linux kernel, the following vulnerability has been resolved:
locking/spinlock/debug: Fix data-race in do_raw_write_lock
KCSAN reports:
BUG: KCSAN: data-race in do_raw_write_lock / do_raw_write_lock
write (marked) to 0xffff800009cf504c of 4 bytes by task 1102 on cpu 1: do_raw_write_lock+0x120/0x204 _raw_write_lock_irq do_exit call_usermodehelper_exec_async ret_from_fork
read to 0xffff800009cf504c of 4 bytes by task 1103 on cpu 0: do_raw_write_lock+0x88/0x204 _raw_write_lock_irq do_exit call_usermodehelper_exec_async ret_from_fork
value changed: 0xffffffff -> 0x00000001
Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 1103 Comm: kworker/u4:1 6.1.111
Commit 1a365e822372 ("locking/spinlock/debug: Fix various data races") has adressed most of these races, but seems to be not consistent/not complete.
>From do_raw_write_lock() only debug_write_lock_after() part has been converted to WRITE_ONCE(), but not debug_write_lock_before() part. Do it now.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A data race in do_raw_write_lock in the Linux kernel's spinlock debug code can cause concurrent read/write access, leading to undefined behavior.
Vulnerability
In the Linux kernel, the do_raw_write_lock function in the spinlock debug code contains a data race. The Kernel Concurrency Sanitizer (KCSAN) reported concurrent write and read accesses to the same memory location (0xffff800009cf504c) by different tasks. The previous fix in commit 1a365e822372 addressed most similar races but incomplete: debug_write_lock_before was not converted to use WRITE_ONCE(), leaving the race unfixed.
Exploitation
An attacker can exploit this race by triggering concurrent execution of do_raw_write_lock on multiple CPUs, for example, through parallel do_exit calls via call_usermodehelper_exec_async. No special privileges are needed beyond ability to run code that causes concurrent lock acquisition.
Impact
A successful exploit can lead to data corruption or other undefined behavior due to unsynchronized access to shared data in the lock debugging infrastructure. This could potentially be leveraged to cause system instability or privilege escalation, though specifics depend on the environment.
Mitigation
The fix is to add WRITE_ONCE() to the debug_write_lock_before part of do_raw_write_lock, making the access consistent with debug_write_lock_after. The patch has been merged into stable kernel branches. Users should update to a kernel containing the fix referenced by the commit [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/16b3590c0e1e615757dade098c8fbc0d4f040c76nvd
- git.kernel.org/stable/c/396a9270a7b90886be501611b13aa636f2e8c703nvd
- git.kernel.org/stable/c/39d2ef113416f1a4205b03fb0aa2e428d1412c77nvd
- git.kernel.org/stable/c/8e5b2cf10844402054b52b489b525dc30cc16908nvd
- git.kernel.org/stable/c/93bd23524d63deb80fb85beb2e43fafeb1043d0fnvd
- git.kernel.org/stable/c/b163a5e8c703201c905d6ec7920ed79d167e8442nvd
- git.kernel.org/stable/c/c14ecb555c3ee80eeb030a4e46d00e679537f03anvd
- git.kernel.org/stable/c/c228cb699a07a5f2d596d186bc5c314c99bb8bbfnvd
News mentions
0No linked articles in our index yet.