CVE-2026-23434
Description
In the Linux kernel, the following vulnerability has been resolved:
mtd: rawnand: serialize lock/unlock against other NAND operations
nand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area without holding the NAND device lock. On controllers that implement SET_FEATURES via multiple low-level PIO commands, these can race with concurrent UBI/UBIFS background erase/write operations that hold the device lock, resulting in cmd_pending conflicts on the NAND controller.
Add nand_get_device()/nand_release_device() around the lock/unlock operations to serialize them against all other NAND controller access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Race condition in Linux kernel's MTD rawnand driver allows cmd_pending conflicts between nand_lock/unlock and concurrent NAND operations.
Root
Cause In the Linux kernel's MTD raw NAND driver, the nand_lock() and nand_unlock() functions call chip->ops.lock_area/unlock_area without holding the NAND device lock. On controllers that implement SET_FEATURES via multiple low-level PIO commands, this can race with concurrent UBI/UBIFS background erase/write operations that hold the device lock, leading to cmd_pending conflicts on the NAND controller [1][2].
Exploitation
An attacker with local access to a system utilizing UBI/UBIFS on raw NAND could trigger this race condition by initiating lock/unlock operations concurrently with background erase/write operations. No special privileges are required beyond the ability to trigger NAND lock/unlock calls, which may be accessible through user-space MTD interfaces [3].
Impact
Successful exploitation can cause cmd_pending conflicts, potentially leading to data corruption or denial of service by stalling NAND operations. The vulnerability is rated High with a CVSS v3 score of 7.1, reflecting moderate impact on integrity and availability [4].
Mitigation
The fix adds nand_get_device()/nand_release_device() around the lock/unlock operations to serialize them against all other NAND controller access. Patches have been merged into the stable kernel trees as commits [1][2][3][4]. Users are advised to update to the latest stable kernel version that includes the fix.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 9 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=5.7.1,<5.10.253
- cpe:2.3:o:linux:linux_kernel:5.7:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/28ea836cc44cb8b89c1c174707ead0c1133c60e9nvdPatch
- git.kernel.org/stable/c/5fd5c078af23cb353507aa522e09d557d7eaef04nvdPatch
- git.kernel.org/stable/c/a80291e577b44593a724d6cd64c14337c78f194dnvdPatch
- git.kernel.org/stable/c/bab2bc6e850a697a23b9e5f0e21bb8c187615e95nvdPatch
- git.kernel.org/stable/c/ce5229e78078e437704157eb542f43a6f83b429bnvdPatch
- git.kernel.org/stable/c/f25446e2c28939753d3b62d34dfda49952b2557dnvdPatch
- git.kernel.org/stable/c/f71ce0ae5aefe39dd5b2f996c0e08550d2153ad2nvdPatch
- git.kernel.org/stable/c/fe4a73c3dd48308149d57a10c2761e1d36ced7banvdPatch
News mentions
0No linked articles in our index yet.