CVE-2026-23050
Description
In the Linux kernel, the following vulnerability has been resolved:
pNFS: Fix a deadlock when returning a delegation during open()
Ben Coddington reports seeing a hang in the following stack trace: 0 [ffffd0b50e1774e0] __schedule at ffffffff9ca05415 1 [ffffd0b50e177548] schedule at ffffffff9ca05717 2 [ffffd0b50e177558] bit_wait at ffffffff9ca061e1 3 [ffffd0b50e177568] __wait_on_bit at ffffffff9ca05cfb 4 [ffffd0b50e1775c8] out_of_line_wait_on_bit at ffffffff9ca05ea5 5 [ffffd0b50e177618] pnfs_roc at ffffffffc154207b [nfsv4] 6 [ffffd0b50e1776b8] _nfs4_proc_delegreturn at ffffffffc1506586 [nfsv4] 7 [ffffd0b50e177788] nfs4_proc_delegreturn at ffffffffc1507480 [nfsv4] 8 [ffffd0b50e1777f8] nfs_do_return_delegation at ffffffffc1523e41 [nfsv4] 9 [ffffd0b50e177838] nfs_inode_set_delegation at ffffffffc1524a75 [nfsv4] 10 [ffffd0b50e177888] nfs4_process_delegation at ffffffffc14f41dd [nfsv4] 11 [ffffd0b50e1778a0] _nfs4_opendata_to_nfs4_state at ffffffffc1503edf [nfsv4] 12 [ffffd0b50e1778c0] _nfs4_open_and_get_state at ffffffffc1504e56 [nfsv4] 13 [ffffd0b50e177978] _nfs4_do_open at ffffffffc15051b8 [nfsv4] 14 [ffffd0b50e1779f8] nfs4_do_open at ffffffffc150559c [nfsv4] 15 [ffffd0b50e177a80] nfs4_atomic_open at ffffffffc15057fb [nfsv4] 16 [ffffd0b50e177ad0] nfs4_file_open at ffffffffc15219be [nfsv4] 17 [ffffd0b50e177b78] do_dentry_open at ffffffff9c09e6ea 18 [ffffd0b50e177ba8] vfs_open at ffffffff9c0a082e 19 [ffffd0b50e177bd0] dentry_open at ffffffff9c0a0935
The issue is that the delegreturn is being asked to wait for a layout return that cannot complete because a state recovery was initiated. The state recovery cannot complete until the open() finishes processing the delegations it was given.
The solution is to propagate the existing flags that indicate a non-blocking call to the function pnfs_roc(), so that it knows not to wait in this situation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A deadlock in Linux kernel pNFS occurs when a delegation return during open() blocks on a layout return that cannot complete, fixed by propagating non-blocking flags to pnfs_roc().
Vulnerability
CVE-2026-23050 describes a deadlock in the Linux kernel's parallel NFS (pNFS) delegation return mechanism. The bug arises in the pnfs_roc() function, which is called during _nfs4_proc_delegreturn while processing a delegation received during an open() call. The deadlock occurs because the delegation return operation blocks waiting for a layout return that cannot complete—state recovery has been initiated but cannot finish until the open() call finishes processing the delegations it was given. This creates a circular wait: the delegation return waits for the layout return, which depends on state recovery, which depends on the open() completing [1].
Exploitation
An attacker who can trigger an NFSv4 open() operation that triggers delegation processing while a layout return is pending could cause the deadlock. The attack surface is local or remote (via NFS) with the ability to initiate NFS operations that hit the described code path. No special privileges beyond basic NFS access are required, but the deadlock results in a hang (denial of service) of the NFS client [1].
Impact
A successful trigger results in a kernel deadlock, causing the NFS client to hang indefinitely. This leads to denial of service for the local system's NFS operations and potentially for the entire NFS client mount, affecting availability of NFS resources.
Mitigation
The fix, which propagates existing non-blocking flags to pnfs_roc() so that it does not wait in this situation, has been applied to the Linux kernel stable tree (commit d6c75aa9d607044d1e5c8498eff0259eed356c32). Users should update to a kernel version containing this patch or any subsequent stable release that includes it [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.