CVE-2026-23047
Description
In the Linux kernel, the following vulnerability has been resolved:
libceph: make calc_target() set t->paused, not just clear it
Currently calc_target() clears t->paused if the request shouldn't be paused anymore, but doesn't ever set t->paused even though it's able to determine when the request should be paused. Setting t->paused is left to __submit_request() which is fine for regular requests but doesn't work for linger requests -- since __submit_request() doesn't operate on linger requests, there is nowhere for lreq->t.paused to be set. One consequence of this is that watches don't get reestablished on paused -> unpaused transitions in cases where requests have been paused long enough for the (paused) unwatch request to time out and for the subsequent (re)watch request to enter the paused state. On top of the watch not getting reestablished, rbd_reregister_watch() gets stuck with rbd_dev->watch_mutex held:
rbd_register_watch __rbd_register_watch ceph_osdc_watch linger_reg_commit_wait
It's waiting for lreq->reg_commit_wait to be completed, but for that to happen the respective request needs to end up on need_resend_linger list and be kicked when requests are unpaused. There is no chance for that if the request in question is never marked paused in the first place.
The fact that rbd_dev->watch_mutex remains taken out forever then prevents the image from getting unmapped -- "rbd unmap" would inevitably hang in D state on an attempt to grab the mutex.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A bug in Linux kernel libceph's calc_target() prevents linger requests from being marked paused, leading to hung watch re-registration and inability to unmap RBD images.
Root
Cause
In the Linux kernel's Ceph client (libceph), the calc_target() function determines whether a request should enter a paused state. However, it only clears the t->paused flag when the request should no longer be paused; it never *sets* t->paused, even though it can detect when pausing is necessary. For ordinary requests this omission is harmless because __submit_request() sets the flag later. But for linger requests (such as watch operations), __submit_request() is not invoked, so the flag is never set [1].
Exploitation
No authentication or special privileges are required beyond the ability to trigger Ceph watch operations that become paused long enough for the unwatch request to timeout. When such a pause occurs, the subsequent (re)watch request enters the paused state but t->paused remains unset. Consequently, the request is never placed on the need_resend_linger list and is never kicked when unpaused. The function rbd_reregister_watch() hangs while holding rbd_dev->watch_mutex, waiting for linger_reg_commit_wait to complete [2].
Impact
An attacker who can cause watch requests to be paused (e.g., by manipulating network conditions or Ceph cluster state) can trigger a deadlock. The hung rbd_reregister_watch() call prevents the RBD watch from being reestablished and leaves rbd_dev->watch_mutex held indefinitely. This in turn makes it impossible to unmap the RBD image — "rbd unmap" stalls forever waiting for the mutex. The issue can lead to denial of service for any process needing to access or release RBD images [3].
Mitigation
The fix was committed to the Linux kernel stable tree in commit 4d3399c52e0e (and backports 6f468f6ff233, 2b3329b3c29d, 5647d42c47b5). Users should apply the latest stable kernel update containing these patches. No workaround is available; the vulnerability affects any kernel version lacking the fix [4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/2b3329b3c29d9e188e40d902d5230c2d5989b940nvd
- git.kernel.org/stable/c/4d3399c52e0e61720ae898f5a0b5b75d4460ae24nvd
- git.kernel.org/stable/c/4ebc711b738d139cabe2fc9e7e7749847676a342nvd
- git.kernel.org/stable/c/5647d42c47b535573b63e073e91164d6a5bb058cnvd
- git.kernel.org/stable/c/5d0dc83cb9a69c1d0bea58f1c430199b05f6b021nvd
- git.kernel.org/stable/c/6f468f6ff233c6a81e0e761d9124e982903fe9a5nvd
- git.kernel.org/stable/c/c0fe2994f9a9d0a2ec9e42441ea5ba74b6a16176nvd
News mentions
0No linked articles in our index yet.