CVE-2026-46044
Description
In the Linux kernel, the following vulnerability has been resolved:
ipmi:ssif: Clean up kthread on errors
If an error occurs after the ssif kthread is created, but before the main IPMI code starts the ssif interface, the ssif kthread will not be stopped.
So make sure the kthread is stopped on an error condition if it is running.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel ipmi:ssif driver, a missing kthread stop on error leads to potential resource leak and system instability.
Vulnerability
The ipmi:ssif driver in the Linux kernel contains a bug where, if an error occurs after the ssif kernel thread (kthread) is created but before the main IPMI code starts the ssif interface, the kthread will not be stopped. This leaves a stale kthread running, potentially causing resource leakage and system instability. The issue affects all kernel versions where the ipmi:ssif driver is present, including but not limited to versions prior to the fix commit 858bc8b9edb6 [1].
Exploitation
An attacker does not need direct access to the IPMI interface to trigger this issue; rather, the vulnerability is triggered as a consequence of an error condition during the initialization sequence of the ssif driver. The error can be caused by various internal failures (e.g., malformed system management interface transactions, hardware communication errors). Once the kthread is created, any subsequent error before interface start will leave the thread running indefinitely. No specific user authentication or network position is required beyond the normal conditions that cause driver initialization errors.
Impact
Successful exploitation results in a leftover kernel thread that continues to run, consuming CPU resources and potentially causing denial of service (DoS) by exhausting process slots or leading to unpredictable system behavior. The impact is primarily availability; the vulnerability does not directly allow code execution or privilege escalation. The severity is moderate, as it requires specific error conditions to occur during driver initialization.
Mitigation
The fix is included in upstream Linux kernel commit 858bc8b9edb6eaf0522900128bb9053e2df6b0f6 [1]. Users should apply this patch or update to a kernel version that includes it. For systems using stable or LTS kernels, the fix will be backported over time. No workaround is available other than avoiding conditions that trigger errors during ssif driver initialization. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of publication.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
675c486cb1bcaipmi:ssif: Clean up kthread on errors
1 file changed · +12 −2
drivers/char/ipmi/ipmi_ssif.c+12 −2 modifieddiff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c index ce918fe987c631..b49500a1bd3637 100644 --- a/drivers/char/ipmi/ipmi_ssif.c +++ b/drivers/char/ipmi/ipmi_ssif.c @@ -1268,8 +1268,10 @@ static void shutdown_ssif(void *send_info) ssif_info->stopping = true; timer_delete_sync(&ssif_info->watch_timer); timer_delete_sync(&ssif_info->retry_timer); - if (ssif_info->thread) + if (ssif_info->thread) { kthread_stop(ssif_info->thread); + ssif_info->thread = NULL; + } } static void ssif_remove(struct i2c_client *client) @@ -1912,6 +1914,15 @@ static int ssif_probe(struct i2c_client *client) out: if (rv) { + /* + * If ipmi_register_smi() starts the interface, it will + * call shutdown and that will free the thread and set + * it to NULL. Otherwise it must be freed here. + */ + if (ssif_info->thread) { + kthread_stop(ssif_info->thread); + ssif_info->thread = NULL; + } if (addr_info) addr_info->client = NULL; -- cgit 1.3-korg
800febc637d1ipmi:ssif: Clean up kthread on errors
1 file changed · +12 −2
drivers/char/ipmi/ipmi_ssif.c+12 −2 modifieddiff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c index 37a5cb5c53f1fc..9e4e1c6e44f281 100644 --- a/drivers/char/ipmi/ipmi_ssif.c +++ b/drivers/char/ipmi/ipmi_ssif.c @@ -1268,8 +1268,10 @@ static void shutdown_ssif(void *send_info) ssif_info->stopping = true; timer_delete_sync(&ssif_info->watch_timer); timer_delete_sync(&ssif_info->retry_timer); - if (ssif_info->thread) + if (ssif_info->thread) { kthread_stop(ssif_info->thread); + ssif_info->thread = NULL; + } } static void ssif_remove(struct i2c_client *client) @@ -1916,6 +1918,15 @@ static int ssif_probe(struct i2c_client *client) out: if (rv) { + /* + * If ipmi_register_smi() starts the interface, it will + * call shutdown and that will free the thread and set + * it to NULL. Otherwise it must be freed here. + */ + if (ssif_info->thread) { + kthread_stop(ssif_info->thread); + ssif_info->thread = NULL; + } if (addr_info) addr_info->client = NULL; -- cgit 1.3-korg
858bc8b9edb6ipmi:ssif: Clean up kthread on errors
1 file changed · +12 −2
drivers/char/ipmi/ipmi_ssif.c+12 −2 modifieddiff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c index 1b63f7d2fcda5f..039d5d26b5de26 100644 --- a/drivers/char/ipmi/ipmi_ssif.c +++ b/drivers/char/ipmi/ipmi_ssif.c @@ -1270,8 +1270,10 @@ static void shutdown_ssif(void *send_info) ssif_info->stopping = true; timer_delete_sync(&ssif_info->watch_timer); timer_delete_sync(&ssif_info->retry_timer); - if (ssif_info->thread) + if (ssif_info->thread) { kthread_stop(ssif_info->thread); + ssif_info->thread = NULL; + } } static void ssif_remove(struct i2c_client *client) @@ -1918,6 +1920,15 @@ static int ssif_probe(struct i2c_client *client) out: if (rv) { + /* + * If ipmi_register_smi() starts the interface, it will + * call shutdown and that will free the thread and set + * it to NULL. Otherwise it must be freed here. + */ + if (ssif_info->thread) { + kthread_stop(ssif_info->thread); + ssif_info->thread = NULL; + } if (addr_info) addr_info->client = NULL; -- cgit 1.3-korg
858bc8b9edb6ipmi:ssif: Clean up kthread on errors
1 file changed · +12 −2
drivers/char/ipmi/ipmi_ssif.c+12 −2 modifieddiff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c index 1b63f7d2fcda5f..039d5d26b5de26 100644 --- a/drivers/char/ipmi/ipmi_ssif.c +++ b/drivers/char/ipmi/ipmi_ssif.c @@ -1270,8 +1270,10 @@ static void shutdown_ssif(void *send_info) ssif_info->stopping = true; timer_delete_sync(&ssif_info->watch_timer); timer_delete_sync(&ssif_info->retry_timer); - if (ssif_info->thread) + if (ssif_info->thread) { kthread_stop(ssif_info->thread); + ssif_info->thread = NULL; + } } static void ssif_remove(struct i2c_client *client) @@ -1918,6 +1920,15 @@ static int ssif_probe(struct i2c_client *client) out: if (rv) { + /* + * If ipmi_register_smi() starts the interface, it will + * call shutdown and that will free the thread and set + * it to NULL. Otherwise it must be freed here. + */ + if (ssif_info->thread) { + kthread_stop(ssif_info->thread); + ssif_info->thread = NULL; + } if (addr_info) addr_info->client = NULL; -- cgit 1.3-korg
800febc637d1ipmi:ssif: Clean up kthread on errors
1 file changed · +12 −2
drivers/char/ipmi/ipmi_ssif.c+12 −2 modifieddiff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c index 37a5cb5c53f1fc..9e4e1c6e44f281 100644 --- a/drivers/char/ipmi/ipmi_ssif.c +++ b/drivers/char/ipmi/ipmi_ssif.c @@ -1268,8 +1268,10 @@ static void shutdown_ssif(void *send_info) ssif_info->stopping = true; timer_delete_sync(&ssif_info->watch_timer); timer_delete_sync(&ssif_info->retry_timer); - if (ssif_info->thread) + if (ssif_info->thread) { kthread_stop(ssif_info->thread); + ssif_info->thread = NULL; + } } static void ssif_remove(struct i2c_client *client) @@ -1916,6 +1918,15 @@ static int ssif_probe(struct i2c_client *client) out: if (rv) { + /* + * If ipmi_register_smi() starts the interface, it will + * call shutdown and that will free the thread and set + * it to NULL. Otherwise it must be freed here. + */ + if (ssif_info->thread) { + kthread_stop(ssif_info->thread); + ssif_info->thread = NULL; + } if (addr_info) addr_info->client = NULL; -- cgit 1.3-korg
75c486cb1bcaipmi:ssif: Clean up kthread on errors
1 file changed · +12 −2
drivers/char/ipmi/ipmi_ssif.c+12 −2 modifieddiff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c index ce918fe987c631..b49500a1bd3637 100644 --- a/drivers/char/ipmi/ipmi_ssif.c +++ b/drivers/char/ipmi/ipmi_ssif.c @@ -1268,8 +1268,10 @@ static void shutdown_ssif(void *send_info) ssif_info->stopping = true; timer_delete_sync(&ssif_info->watch_timer); timer_delete_sync(&ssif_info->retry_timer); - if (ssif_info->thread) + if (ssif_info->thread) { kthread_stop(ssif_info->thread); + ssif_info->thread = NULL; + } } static void ssif_remove(struct i2c_client *client) @@ -1912,6 +1914,15 @@ static int ssif_probe(struct i2c_client *client) out: if (rv) { + /* + * If ipmi_register_smi() starts the interface, it will + * call shutdown and that will free the thread and set + * it to NULL. Otherwise it must be freed here. + */ + if (ssif_info->thread) { + kthread_stop(ssif_info->thread); + ssif_info->thread = NULL; + } if (addr_info) addr_info->client = NULL; -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing kthread cleanup in the error path of ssif_probe() — if an error occurs after the ssif kernel thread is created but before ipmi_register_smi() starts the interface, the thread is never stopped, leading to a resource leak."
Attack vector
An attacker does not directly trigger this bug; it is a resource-leak vulnerability that manifests during driver probe. If the ssif_probe() function in drivers/char/ipmi/ipmi_ssif.c encounters an error (e.g., a registration failure) after creating the ssif kernel thread, the thread continues running unmanaged. No special network path or payload is required — the condition arises from normal error handling during device initialization [patch_id=2660180].
Affected code
The vulnerability is in drivers/char/ipmi/ipmi_ssif.c, specifically in the ssif_probe() function's error handling (the "out:" label) and in shutdown_ssif(). The ssif kernel thread is created earlier in ssif_probe() but was not stopped on probe failure before the patch.
What the fix does
The patch adds a kthread_stop() call in the error path of ssif_probe() when rv (the return value) is non-zero and ssif_info->thread is still set [patch_id=2660180]. It also sets ssif_info->thread = NULL after stopping the thread in both shutdown_ssif() and the new error path, preventing a double-stop or use-after-free. The comment explains that if ipmi_register_smi() had already started the interface, its own shutdown callback would have freed the thread and set it to NULL; otherwise the new code handles cleanup.
Preconditions
- configThe IPMI SSIF driver must be built into the kernel or loaded as a module.
- inputAn error must occur in ssif_probe() after the ssif kernel thread is created but before ipmi_register_smi() completes successfully.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.