{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31557", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.116Z", "datePublished": "2026-04-24T14:35:40.544Z", "dateUpdated": "2026-05-11T22:11:05.413Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:11:05.413Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: move async event work off nvmet-wq\n\nFor target nvmet_ctrl_free() flushes ctrl->async_event_work.\nIf nvmet_ctrl_free() runs on nvmet-wq, the flush re-enters workqueue\ncompletion for the same worker:-\n\nA. Async event work queued on nvmet-wq (prior to disconnect):\n nvmet_execute_async_event()\n queue_work(nvmet_wq, &ctrl->async_event_work)\n\n nvmet_add_async_event()\n queue_work(nvmet_wq, &ctrl->async_event_work)\n\nB. Full pre-work chain (RDMA CM path):\n nvmet_rdma_cm_handler()\n nvmet_rdma_queue_disconnect()\n __nvmet_rdma_queue_disconnect()\n queue_work(nvmet_wq, &queue->release_work)\n process_one_work()\n lock((wq_completion)nvmet-wq) <--------- 1st\n nvmet_rdma_release_queue_work()\n\nC. Recursive path (same worker):\n nvmet_rdma_release_queue_work()\n nvmet_rdma_free_queue()\n nvmet_sq_destroy()\n nvmet_ctrl_put()\n nvmet_ctrl_free()\n flush_work(&ctrl->async_event_work)\n __flush_work()\n touch_wq_lockdep_map()\n lock((wq_completion)nvmet-wq) <--------- 2nd\n\nLockdep splat:\n\n ============================================\n WARNING: possible recursive locking detected\n 6.19.0-rc3nvme+ #14 Tainted: G N\n --------------------------------------------\n kworker/u192:42/44933 is trying to acquire lock:\n ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26/0x90\n\n but task is already holding lock:\n ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x53e/0x660\n\n 3 locks held by kworker/u192:42/44933:\n #0: ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x53e/0x660\n #1: ffffc9000e6cbe28 ((work_completion)(&queue->release_work)){+.+.}-{0:0}, at: process_one_work+0x1c5/0x660\n #2: ffffffff82d4db60 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x62/0x530\n\n Workqueue: nvmet-wq nvmet_rdma_release_queue_work [nvmet_rdma]\n Call Trace:\n __flush_work+0x268/0x530\n nvmet_ctrl_free+0x140/0x310 [nvmet]\n nvmet_cq_put+0x74/0x90 [nvmet]\n nvmet_rdma_free_queue+0x23/0xe0 [nvmet_rdma]\n nvmet_rdma_release_queue_work+0x19/0x50 [nvmet_rdma]\n process_one_work+0x206/0x660\n worker_thread+0x184/0x320\n kthread+0x10c/0x240\n ret_from_fork+0x319/0x390\n\nMove async event work to a dedicated nvmet-aen-wq to avoid reentrant\nflush on nvmet-wq."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/nvme/target/admin-cmd.c", "drivers/nvme/target/core.c", "drivers/nvme/target/nvmet.h", "drivers/nvme/target/rdma.c"], "versions": [{"version": "8832cf922151e9dfa2821736beb0ae2dd3968b6e", "lessThan": "49c7c50ee6325a084216e94395e067ecde8088fa", "status": "affected", "versionType": "git"}, {"version": "8832cf922151e9dfa2821736beb0ae2dd3968b6e", "lessThan": "ca111c9d8d6c9d5735878d933a1716c4be86c2d1", "status": "affected", "versionType": "git"}, {"version": "8832cf922151e9dfa2821736beb0ae2dd3968b6e", "lessThan": "25ceffc1dabec3b93f458b437aae26f4da293f87", "status": "affected", "versionType": "git"}, {"version": "8832cf922151e9dfa2821736beb0ae2dd3968b6e", "lessThan": "2922e3507f6d5caa7f1d07f145e186fc6f317a4e", "status": "affected", "versionType": "git"}, {"version": "d44ff3b100b94e9f23b1e8dbe688eee9bb867ac9", "status": "affected", "versionType": "git"}, {"version": "84026f8c9357c62a9d3e4c554ffd10ccab813654", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/nvme/target/admin-cmd.c", "drivers/nvme/target/core.c", "drivers/nvme/target/nvmet.h", "drivers/nvme/target/rdma.c"], "versions": [{"version": "5.18", "status": "affected"}, {"version": "0", "lessThan": "5.18", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "7.0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.42"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.17.10"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/49c7c50ee6325a084216e94395e067ecde8088fa"}, {"url": "https://git.kernel.org/stable/c/ca111c9d8d6c9d5735878d933a1716c4be86c2d1"}, {"url": "https://git.kernel.org/stable/c/25ceffc1dabec3b93f458b437aae26f4da293f87"}, {"url": "https://git.kernel.org/stable/c/2922e3507f6d5caa7f1d07f145e186fc6f317a4e"}], "title": "nvmet: move async event work off nvmet-wq", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "752141E3-2E88-4CDB-962E-FE1DFC022596", "versionEndExcluding": "5.16", "versionStartIncluding": "5.15.42", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E648BBD2-268B-4150-94DA-5E0D23BF336E", "versionEndExcluding": "5.18", "versionStartIncluding": "5.17.10", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "67222101-CC02-4250-A6E8-A98BDD29DB6F", "versionEndExcluding": "6.12.80", "versionStartIncluding": "5.18.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "ED39847A-3B46-4729-B7CA-B2C30B9FA8FE", "versionEndExcluding": "6.18.21", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7", "versionEndExcluding": "6.19.11", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.18:-:*:*:*:*:*:*", "matchCriteriaId": "0384FA0A-DE99-48D7-84E3-46ED0C3B5E03", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: move async event work off nvmet-wq\n\nFor target nvmet_ctrl_free() flushes ctrl->async_event_work.\nIf nvmet_ctrl_free() runs on nvmet-wq, the flush re-enters workqueue\ncompletion for the same worker:-\n\nA. Async event work queued on nvmet-wq (prior to disconnect):\n nvmet_execute_async_event()\n queue_work(nvmet_wq, &ctrl->async_event_work)\n\n nvmet_add_async_event()\n queue_work(nvmet_wq, &ctrl->async_event_work)\n\nB. Full pre-work chain (RDMA CM path):\n nvmet_rdma_cm_handler()\n nvmet_rdma_queue_disconnect()\n __nvmet_rdma_queue_disconnect()\n queue_work(nvmet_wq, &queue->release_work)\n process_one_work()\n lock((wq_completion)nvmet-wq) <--------- 1st\n nvmet_rdma_release_queue_work()\n\nC. Recursive path (same worker):\n nvmet_rdma_release_queue_work()\n nvmet_rdma_free_queue()\n nvmet_sq_destroy()\n nvmet_ctrl_put()\n nvmet_ctrl_free()\n flush_work(&ctrl->async_event_work)\n __flush_work()\n touch_wq_lockdep_map()\n lock((wq_completion)nvmet-wq) <--------- 2nd\n\nLockdep splat:\n\n ============================================\n WARNING: possible recursive locking detected\n 6.19.0-rc3nvme+ #14 Tainted: G N\n --------------------------------------------\n kworker/u192:42/44933 is trying to acquire lock:\n ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26/0x90\n\n but task is already holding lock:\n ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x53e/0x660\n\n 3 locks held by kworker/u192:42/44933:\n #0: ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x53e/0x660\n #1: ffffc9000e6cbe28 ((work_completion)(&queue->release_work)){+.+.}-{0:0}, at: process_one_work+0x1c5/0x660\n #2: ffffffff82d4db60 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x62/0x530\n\n Workqueue: nvmet-wq nvmet_rdma_release_queue_work [nvmet_rdma]\n Call Trace:\n __flush_work+0x268/0x530\n nvmet_ctrl_free+0x140/0x310 [nvmet]\n nvmet_cq_put+0x74/0x90 [nvmet]\n nvmet_rdma_free_queue+0x23/0xe0 [nvmet_rdma]\n nvmet_rdma_release_queue_work+0x19/0x50 [nvmet_rdma]\n process_one_work+0x206/0x660\n worker_thread+0x184/0x320\n kthread+0x10c/0x240\n ret_from_fork+0x319/0x390\n\nMove async event work to a dedicated nvmet-aen-wq to avoid reentrant\nflush on nvmet-wq."}], "id": "CVE-2026-31557", "lastModified": "2026-04-27T20:14:08.567", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-24T15:16:30.080", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/25ceffc1dabec3b93f458b437aae26f4da293f87"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2922e3507f6d5caa7f1d07f145e186fc6f317a4e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/49c7c50ee6325a084216e94395e067ecde8088fa"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ca111c9d8d6c9d5735878d933a1716c4be86c2d1"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: nvmet: move async event work off nvmet-wq", "id": "2461463", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461463"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-833", "details": ["A flaw was found in the Linux kernel, specifically within the NVMe over Fabrics (NVMe-oF) target's nvmet and nvmet_rdma modules. A local attacker could potentially trigger a recursive locking condition in the nvmet-wq workqueue during asynchronous event processing. This issue arises when nvmet_ctrl_free() attempts to flush an asynchronous event work while already executing on the same workqueue, leading to a deadlock. The most important consequence is a Denial of Service (DoS), causing system instability or unresponsiveness."], "name": "CVE-2026-31557", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31557\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31557\nhttps://lore.kernel.org/linux-cve-announce/2026042457-CVE-2026-31557-dca7@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8832cf922151e9dfa2821736beb0ae2dd3968b6e,49c7c50ee6325a084216e94395e067ecde8088fa)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8832cf922151e9dfa2821736beb0ae2dd3968b6e,ca111c9d8d6c9d5735878d933a1716c4be86c2d1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8832cf922151e9dfa2821736beb0ae2dd3968b6e,25ceffc1dabec3b93f458b437aae26f4da293f87)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8832cf922151e9dfa2821736beb0ae2dd3968b6e,2922e3507f6d5caa7f1d07f145e186fc6f317a4e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "d44ff3b100b94e9f23b1e8dbe688eee9bb867ac9"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "84026f8c9357c62a9d3e4c554ffd10ccab813654"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.18"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.18)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.12.80,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.18.21,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19.11,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T14:14:56.116035+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version where the nvmet async event work queue has been moved to a dedicated nvmet-aen-wq (e.g., kernel 7.0 RC8 or later).", "If an upgrade cannot be performed immediately, consider disabling nvmet services or limiting client connections until the patch is applied to reduce the chance of triggering the recursive lock.", "Monitor /var/log/kern.log or dmesg for lockdep warnings indicating possible recursive locking on nvmet-wq and verify that no such warnings appear after applying the patch."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Linux kernel, specifically versions 5.18 and all 7.0 release candidates from RC1 through RC7. Any system running these kernel releases with nvmet enabled is potentially impacted. The issue arises with both the standard kernel and the development 7.0 series that include the nvmet module.", "description_and_impact": "A recursive lock acquisition occurs in the Linux kernel nvmet module when the controller is freed while its async event work is still scheduled on the nvmet workqueue. The flush_work call inside nvmet_ctrl_free() executes while the same workqueue lock is already held, causing a deadlock detected by lockdep. If the deadlock resolves, it can block the worker thread indefinitely, leading to a kernel lockup or a delayed termination of the nvmet service, which effectively denies functionality to clients relying on NVMe over Fabrics. This vulnerability does not directly provide an attacker with code execution or data exfiltration; the primary impact is a loss of service availability for NVMe traffic. This is a concurrency bug (CWE\u2011833).", "risk_and_exploitability": "The CVSS score of 7.5 indicates moderate-to-high severity, while the EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild. The bug has not been listed in the CISA KEV catalog, further supporting that it is not actively exploited. The most likely attack vector is local or privileged; a malicious user who can generate or force an nvmet disconnect may trigger the recursive locking scenario. Because the flaw surfaces during normal kernel operation of NVMe connections and requires the kernel to execute a flush while holding its own workqueue lock, remediation focuses on applying the kernel patch that moves async event work to a dedicated queue."}}}}, "created": "2026-04-27T19:15:11.615079+00:00", "updated": "2026-04-28T14:15:34.937704+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}