CVE-2026-43115
Description
In the Linux kernel, the following vulnerability has been resolved:
srcu: Use irq_work to start GP in tiny SRCU
Tiny SRCU's srcu_gp_start_if_needed() directly calls schedule_work(), which acquires the workqueue pool->lock.
This causes a lockdep splat when call_srcu() is called with a scheduler lock held, due to:
call_srcu() [holding pi_lock] srcu_gp_start_if_needed() schedule_work() -> pool->lock
workqueue_init() / create_worker() [holding pool->lock] wake_up_process() -> try_to_wake_up() -> pi_lock
Also add irq_work_sync() to cleanup_srcu_struct() to prevent a use-after-free if a queued irq_work fires after cleanup begins.
Tested with rcutorture SRCU-T and no lockdep warnings.
[ Thanks to Boqun for similar fix in patch "rcu: Use an intermediate irq_work to start process_srcu()" ]
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A lockdep splat in tiny SRCU when call_srcu() is invoked with a scheduler lock held is fixed by using irq_work instead of schedule_work().
Vulnerability
Analysis
CVE-2026-43115 addresses a lock ordering issue in the Linux kernel's tiny SRCU (Sleepable Read-Copy-Update) implementation. The root cause is that srcu_gp_start_if_needed() directly calls schedule_work(), which acquires the workqueue pool lock. When call_srcu() is invoked while holding a scheduler lock (such as pi_lock), this creates a circular lock dependency: call_srcu() → srcu_gp_start_if_needed() → schedule_work() → pool lock, while the workqueue initialization path holds the pool lock and then acquires pi_lock via wake_up_process(). This results in a lockdep splat [1].
Exploitation and
Impact
The vulnerability is triggered by calling call_srcu() while holding a scheduler lock, which can occur in various kernel contexts. No special privileges are required beyond the ability to invoke SRCU callbacks in such a context. The impact is a lockdep warning and potential deadlock, which can lead to system instability or denial of service. An attacker who can control the timing of SRCU callbacks might exploit this to cause a system hang [1].
Mitigation
The fix replaces the direct schedule_work() call with irq_work, which avoids acquiring the problematic pool lock. Additionally, irq_work_sync() is added to cleanup_srcu_struct() to prevent a use-after-free if a queued irq_work fires after cleanup begins. The patch has been tested with rcutorture SRCU-T and shows no lockdep warnings. It is included in the stable kernel tree [1][2].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 5 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=4.12,<6.19.14
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
1- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026