← All advisories

Unrated severityNVD Advisory· Published Jun 8, 2026

CVE-2026-46304

CVE-2026-46304

Description

Linux kernel nvmet subsystem vulnerable to recursive locking, potentially causing system instability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Linux kernel nvmet subsystem vulnerable to recursive locking, potentially causing system instability.

Vulnerability

The Linux kernel's nvmet subsystem contains a vulnerability where the nvmet_tcp_release_queue_work function, running on the nvmet-wq workqueue, can trigger a recursive flush of ctrl->async_event_work on the same workqueue. This occurs when nvmet_ctrl_free() is called during the teardown path, leading to a potential recursive locking condition detected by lockdep. This affects versions of the Linux kernel where this specific call chain exists.

Exploitation

An attacker would need to trigger a specific sequence of events within the nvmet subsystem, likely involving the removal of a network transport queue while asynchronous events are still being processed. This could be initiated by operations that lead to nvmet_tcp_schedule_release_queue() being called, which in turn schedules nvmet_tcp_release_queue_work() on nvmet_wq. If this work item causes nvmet_ctrl_free() to be invoked, it attempts to flush ctrl->async_event_work on the same nvmet_wq, leading to the recursive lock.

Impact

The primary impact of this vulnerability is a potential system instability due to the detected recursive locking. While the provided references do not explicitly detail information disclosure or arbitrary code execution, the recursive locking condition can lead to deadlocks or kernel panics, rendering the system unresponsive or requiring a reboot.

Mitigation

This vulnerability has been resolved in the Linux kernel. The fix involves ensuring that nvmet_ctrl_free() does not recursively flush ctrl->async_event_work on the nvmet-wq when nvmet_tcp_release_queue_work() is already executing on it. Users should update to a patched version of the Linux kernel. Specific patched versions are not detailed in the provided references, but the commit is available in the Linux kernel git repository [1].

References

Making sure you're not a bot!

AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Linux/Kernelllm-fuzzy

Patches

16

ee6e20c4bc9e

nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitChaitanya KulkarniFixed in 6.12.88via kernel-cna

1 file changed · +1 −2

drivers/nvme/target/core.c+1 −2 modified

diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
index be9a7e8b547ac..9dcca9d03c28a 100644
--- a/drivers/nvme/target/core.c
+++ b/drivers/nvme/target/core.c
@@ -1505,7 +1505,7 @@ static void nvmet_ctrl_free(struct kref *ref)
 
 	nvmet_stop_keep_alive_timer(ctrl);
 
-	flush_work(&ctrl->async_event_work);
+	cancel_work_sync(&ctrl->async_event_work);
 	cancel_work_sync(&ctrl->fatal_err_work);
 
 	nvmet_destroy_auth(ctrl);
-- 
cgit 1.3-korg

ae5b0cad1638

nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitChaitanya KulkarniFixed in 5.10.258via kernel-cna

1 file changed · +1 −2

drivers/nvme/target/core.c+1 −2 modified

diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
index a04bb02c1251b..ddcfc51fc05c6 100644
--- a/drivers/nvme/target/core.c
+++ b/drivers/nvme/target/core.c
@@ -1440,7 +1440,7 @@ static void nvmet_ctrl_free(struct kref *ref)
 
 	nvmet_stop_keep_alive_timer(ctrl);
 
-	flush_work(&ctrl->async_event_work);
+	cancel_work_sync(&ctrl->async_event_work);
 	cancel_work_sync(&ctrl->fatal_err_work);
 
 	ida_simple_remove(&cntlid_ida, ctrl->cntlid);
-- 
cgit 1.3-korg

aade8abd8b86

nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitChaitanya KulkarniFixed in 7.1-rc2via kernel-cna

1 file changed · +1 −2

drivers/nvme/target/core.c+1 −2 modified

diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
index 33db6c5534e21..a87567f40c915 100644
--- a/drivers/nvme/target/core.c
+++ b/drivers/nvme/target/core.c
@@ -1749,7 +1749,7 @@ static void nvmet_ctrl_free(struct kref *ref)
 
 	nvmet_stop_keep_alive_timer(ctrl);
 
-	flush_work(&ctrl->async_event_work);
+	cancel_work_sync(&ctrl->async_event_work);
 	cancel_work_sync(&ctrl->fatal_err_work);
 
 	nvmet_destroy_auth(ctrl);
-- 
cgit 1.3-korg

551f445a56a1

nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitChaitanya KulkarniFixed in 7.0.7via kernel-cna

1 file changed · +1 −2

drivers/nvme/target/core.c+1 −2 modified

diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
index 9238e13bd480a..ba4e1a5e0d4c8 100644
--- a/drivers/nvme/target/core.c
+++ b/drivers/nvme/target/core.c
@@ -1743,7 +1743,7 @@ static void nvmet_ctrl_free(struct kref *ref)
 
 	nvmet_stop_keep_alive_timer(ctrl);
 
-	flush_work(&ctrl->async_event_work);
+	cancel_work_sync(&ctrl->async_event_work);
 	cancel_work_sync(&ctrl->fatal_err_work);
 
 	nvmet_destroy_auth(ctrl);
-- 
cgit 1.3-korg

781f47d64143

nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitChaitanya KulkarniFixed in 6.18.30via kernel-cna

1 file changed · +1 −2

drivers/nvme/target/core.c+1 −2 modified

diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
index 1c5b6bab47791..1567b35f96e37 100644
--- a/drivers/nvme/target/core.c
+++ b/drivers/nvme/target/core.c
@@ -1746,7 +1746,7 @@ static void nvmet_ctrl_free(struct kref *ref)
 
 	nvmet_stop_keep_alive_timer(ctrl);
 
-	flush_work(&ctrl->async_event_work);
+	cancel_work_sync(&ctrl->async_event_work);
 	cancel_work_sync(&ctrl->fatal_err_work);
 
 	nvmet_destroy_auth(ctrl);
-- 
cgit 1.3-korg

9a4d7222c095

nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitChaitanya KulkarniFixed in 6.6.140via kernel-cna

1 file changed · +1 −2

drivers/nvme/target/core.c+1 −2 modified

diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
index 1cf6dfac18361..5a2adfc7c796a 100644
--- a/drivers/nvme/target/core.c
+++ b/drivers/nvme/target/core.c
@@ -1497,7 +1497,7 @@ static void nvmet_ctrl_free(struct kref *ref)
 
 	nvmet_stop_keep_alive_timer(ctrl);
 
-	flush_work(&ctrl->async_event_work);
+	cancel_work_sync(&ctrl->async_event_work);
 	cancel_work_sync(&ctrl->fatal_err_work);
 
 	nvmet_destroy_auth(ctrl);
-- 
cgit 1.3-korg

a696fbbd5240

nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitChaitanya KulkarniFixed in 6.1.175via kernel-cna

1 file changed · +1 −2

drivers/nvme/target/core.c+1 −2 modified

diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
index a68e7b1606da5..d2389918b1e86 100644
--- a/drivers/nvme/target/core.c
+++ b/drivers/nvme/target/core.c
@@ -1496,7 +1496,7 @@ static void nvmet_ctrl_free(struct kref *ref)
 
 	nvmet_stop_keep_alive_timer(ctrl);
 
-	flush_work(&ctrl->async_event_work);
+	cancel_work_sync(&ctrl->async_event_work);
 	cancel_work_sync(&ctrl->fatal_err_work);
 
 	nvmet_destroy_auth(ctrl);
-- 
cgit 1.3-korg

8d66ba89480f

nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitChaitanya KulkarniFixed in 5.15.209via kernel-cna

1 file changed · +1 −2

drivers/nvme/target/core.c+1 −2 modified

diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
index 65bc1efa33d66..30177f42a2aa7 100644
--- a/drivers/nvme/target/core.c
+++ b/drivers/nvme/target/core.c
@@ -1471,7 +1471,7 @@ static void nvmet_ctrl_free(struct kref *ref)
 
 	nvmet_stop_keep_alive_timer(ctrl);
 
-	flush_work(&ctrl->async_event_work);
+	cancel_work_sync(&ctrl->async_event_work);
 	cancel_work_sync(&ctrl->fatal_err_work);
 
 	ida_simple_remove(&cntlid_ida, ctrl->cntlid);
-- 
cgit 1.3-korg

ee6e20c4bc9e

nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitChaitanya Kulkarnivia nvd-ref

1 file changed · +1 −2

drivers/nvme/target/core.c+1 −2 modified

diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
index be9a7e8b547ac..9dcca9d03c28a 100644
--- a/drivers/nvme/target/core.c
+++ b/drivers/nvme/target/core.c
@@ -1505,7 +1505,7 @@ static void nvmet_ctrl_free(struct kref *ref)
 
 	nvmet_stop_keep_alive_timer(ctrl);
 
-	flush_work(&ctrl->async_event_work);
+	cancel_work_sync(&ctrl->async_event_work);
 	cancel_work_sync(&ctrl->fatal_err_work);
 
 	nvmet_destroy_auth(ctrl);
-- 
cgit 1.3-korg

a696fbbd5240

nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitChaitanya Kulkarnivia nvd-ref

1 file changed · +1 −2

drivers/nvme/target/core.c+1 −2 modified

diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
index a68e7b1606da5..d2389918b1e86 100644
--- a/drivers/nvme/target/core.c
+++ b/drivers/nvme/target/core.c
@@ -1496,7 +1496,7 @@ static void nvmet_ctrl_free(struct kref *ref)
 
 	nvmet_stop_keep_alive_timer(ctrl);
 
-	flush_work(&ctrl->async_event_work);
+	cancel_work_sync(&ctrl->async_event_work);
 	cancel_work_sync(&ctrl->fatal_err_work);
 
 	nvmet_destroy_auth(ctrl);
-- 
cgit 1.3-korg

ae5b0cad1638

nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitChaitanya Kulkarnivia nvd-ref

1 file changed · +1 −2

drivers/nvme/target/core.c+1 −2 modified

diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
index a04bb02c1251b..ddcfc51fc05c6 100644
--- a/drivers/nvme/target/core.c
+++ b/drivers/nvme/target/core.c
@@ -1440,7 +1440,7 @@ static void nvmet_ctrl_free(struct kref *ref)
 
 	nvmet_stop_keep_alive_timer(ctrl);
 
-	flush_work(&ctrl->async_event_work);
+	cancel_work_sync(&ctrl->async_event_work);
 	cancel_work_sync(&ctrl->fatal_err_work);
 
 	ida_simple_remove(&cntlid_ida, ctrl->cntlid);
-- 
cgit 1.3-korg

aade8abd8b86

nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitChaitanya Kulkarnivia nvd-ref

1 file changed · +1 −2

drivers/nvme/target/core.c+1 −2 modified

diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
index 33db6c5534e21..a87567f40c915 100644
--- a/drivers/nvme/target/core.c
+++ b/drivers/nvme/target/core.c
@@ -1749,7 +1749,7 @@ static void nvmet_ctrl_free(struct kref *ref)
 
 	nvmet_stop_keep_alive_timer(ctrl);
 
-	flush_work(&ctrl->async_event_work);
+	cancel_work_sync(&ctrl->async_event_work);
 	cancel_work_sync(&ctrl->fatal_err_work);
 
 	nvmet_destroy_auth(ctrl);
-- 
cgit 1.3-korg

781f47d64143

nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitChaitanya Kulkarnivia nvd-ref

1 file changed · +1 −2

drivers/nvme/target/core.c+1 −2 modified

diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
index 1c5b6bab47791..1567b35f96e37 100644
--- a/drivers/nvme/target/core.c
+++ b/drivers/nvme/target/core.c
@@ -1746,7 +1746,7 @@ static void nvmet_ctrl_free(struct kref *ref)
 
 	nvmet_stop_keep_alive_timer(ctrl);
 
-	flush_work(&ctrl->async_event_work);
+	cancel_work_sync(&ctrl->async_event_work);
 	cancel_work_sync(&ctrl->fatal_err_work);
 
 	nvmet_destroy_auth(ctrl);
-- 
cgit 1.3-korg

8d66ba89480f

nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitChaitanya Kulkarnivia nvd-ref

1 file changed · +1 −2

drivers/nvme/target/core.c+1 −2 modified

diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
index 65bc1efa33d66..30177f42a2aa7 100644
--- a/drivers/nvme/target/core.c
+++ b/drivers/nvme/target/core.c
@@ -1471,7 +1471,7 @@ static void nvmet_ctrl_free(struct kref *ref)
 
 	nvmet_stop_keep_alive_timer(ctrl);
 
-	flush_work(&ctrl->async_event_work);
+	cancel_work_sync(&ctrl->async_event_work);
 	cancel_work_sync(&ctrl->fatal_err_work);
 
 	ida_simple_remove(&cntlid_ida, ctrl->cntlid);
-- 
cgit 1.3-korg

551f445a56a1

nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitChaitanya Kulkarnivia nvd-ref

1 file changed · +1 −2

drivers/nvme/target/core.c+1 −2 modified

diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
index 9238e13bd480a..ba4e1a5e0d4c8 100644
--- a/drivers/nvme/target/core.c
+++ b/drivers/nvme/target/core.c
@@ -1743,7 +1743,7 @@ static void nvmet_ctrl_free(struct kref *ref)
 
 	nvmet_stop_keep_alive_timer(ctrl);
 
-	flush_work(&ctrl->async_event_work);
+	cancel_work_sync(&ctrl->async_event_work);
 	cancel_work_sync(&ctrl->fatal_err_work);
 
 	nvmet_destroy_auth(ctrl);
-- 
cgit 1.3-korg

9a4d7222c095

nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitChaitanya Kulkarnivia nvd-ref

1 file changed · +1 −2

drivers/nvme/target/core.c+1 −2 modified

diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
index 1cf6dfac18361..5a2adfc7c796a 100644
--- a/drivers/nvme/target/core.c
+++ b/drivers/nvme/target/core.c
@@ -1497,7 +1497,7 @@ static void nvmet_ctrl_free(struct kref *ref)
 
 	nvmet_stop_keep_alive_timer(ctrl);
 
-	flush_work(&ctrl->async_event_work);
+	cancel_work_sync(&ctrl->async_event_work);
 	cancel_work_sync(&ctrl->fatal_err_work);
 
 	nvmet_destroy_auth(ctrl);
-- 
cgit 1.3-korg

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

8

News mentions

1

Linux Kernel: 25 Vulnerabilities Disclosed in Single Batch on June 8, 2026
Vypr Intelligence · Jun 8, 2026