{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23292", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.992Z", "datePublished": "2026-03-25T10:26:50.408Z", "dateUpdated": "2026-03-25T16:49:12.937Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T16:49:12.937Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: Fix recursive locking in __configfs_open_file()\n\nIn flush_write_buffer, &p->frag_sem is acquired and then the loaded store\nfunction is called, which, here, is target_core_item_dbroot_store(). This\nfunction called filp_open(), following which these functions were called\n(in reverse order), according to the call trace:\n\n down_read\n __configfs_open_file\n do_dentry_open\n vfs_open\n do_open\n path_openat\n do_filp_open\n file_open_name\n filp_open\n target_core_item_dbroot_store\n flush_write_buffer\n configfs_write_iter\n\ntarget_core_item_dbroot_store() tries to validate the new file path by\ntrying to open the file path provided to it; however, in this case, the bug\nreport shows:\n\ndb_root: not a directory: /sys/kernel/config/target/dbroot\n\nindicating that the same configfs file was tried to be opened, on which it\nis currently working on. Thus, it is trying to acquire frag_sem semaphore\nof the same file of which it already holds the semaphore obtained in\nflush_write_buffer(), leading to acquiring the semaphore in a nested manner\nand a possibility of recursive locking.\n\nFix this by modifying target_core_item_dbroot_store() to use kern_path()\ninstead of filp_open() to avoid opening the file using filesystem-specific\nfunction __configfs_open_file(), and further modifying it to make this fix\ncompatible."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/target/target_core_configfs.c"], "versions": [{"version": "b0841eefd9693827afb9888235e26ddd098f9cef", "lessThan": "3161ef61f121d4573cad5b57c92188dcd9b284b3", "status": "affected", "versionType": "git"}, {"version": "b0841eefd9693827afb9888235e26ddd098f9cef", "lessThan": "e8ef82cb6443d5f3260b1b830e17f03dda4229ea", "status": "affected", "versionType": "git"}, {"version": "b0841eefd9693827afb9888235e26ddd098f9cef", "lessThan": "4fcfa424a581d823cb1a9676e3eefe6ca17e453a", "status": "affected", "versionType": "git"}, {"version": "b0841eefd9693827afb9888235e26ddd098f9cef", "lessThan": "9a5641024fbfd9b24fe65984ad85fea10a3ae438", "status": "affected", "versionType": "git"}, {"version": "b0841eefd9693827afb9888235e26ddd098f9cef", "lessThan": "142eacb50fb903a4c10dee7e67b6e79ebb36a582", "status": "affected", "versionType": "git"}, {"version": "b0841eefd9693827afb9888235e26ddd098f9cef", "lessThan": "14d4ac19d1895397532eec407433c5d74d9da53b", "status": "affected", "versionType": "git"}, {"version": "49824b5c875087a52672b0c8e8ecbefe6f773532", "status": "affected", "versionType": "git"}, {"version": "09e21253d17f53bdb5aac0e0dbd057a29fcbe8d1", "status": "affected", "versionType": "git"}, {"version": "0dfc45be875a378c2a3a4d6ed8e668ec8eb75073", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/target/target_core_configfs.c"], "versions": [{"version": "5.3", "status": "affected"}, {"version": "0", "lessThan": "5.3", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "7.0-rc3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9.201"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14.154"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19.84"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/3161ef61f121d4573cad5b57c92188dcd9b284b3"}, {"url": "https://git.kernel.org/stable/c/e8ef82cb6443d5f3260b1b830e17f03dda4229ea"}, {"url": "https://git.kernel.org/stable/c/4fcfa424a581d823cb1a9676e3eefe6ca17e453a"}, {"url": "https://git.kernel.org/stable/c/9a5641024fbfd9b24fe65984ad85fea10a3ae438"}, {"url": "https://git.kernel.org/stable/c/142eacb50fb903a4c10dee7e67b6e79ebb36a582"}, {"url": "https://git.kernel.org/stable/c/14d4ac19d1895397532eec407433c5d74d9da53b"}], "title": "scsi: target: Fix recursive locking in __configfs_open_file()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: Fix recursive locking in __configfs_open_file()\n\nIn flush_write_buffer, &p->frag_sem is acquired and then the loaded store\nfunction is called, which, here, is target_core_item_dbroot_store(). This\nfunction called filp_open(), following which these functions were called\n(in reverse order), according to the call trace:\n\n down_read\n __configfs_open_file\n do_dentry_open\n vfs_open\n do_open\n path_openat\n do_filp_open\n file_open_name\n filp_open\n target_core_item_dbroot_store\n flush_write_buffer\n configfs_write_iter\n\ntarget_core_item_dbroot_store() tries to validate the new file path by\ntrying to open the file path provided to it; however, in this case, the bug\nreport shows:\n\ndb_root: not a directory: /sys/kernel/config/target/dbroot\n\nindicating that the same configfs file was tried to be opened, on which it\nis currently working on. Thus, it is trying to acquire frag_sem semaphore\nof the same file of which it already holds the semaphore obtained in\nflush_write_buffer(), leading to acquiring the semaphore in a nested manner\nand a possibility of recursive locking.\n\nFix this by modifying target_core_item_dbroot_store() to use kern_path()\ninstead of filp_open() to avoid opening the file using filesystem-specific\nfunction __configfs_open_file(), and further modifying it to make this fix\ncompatible."}], "id": "CVE-2026-23292", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:24.357", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/142eacb50fb903a4c10dee7e67b6e79ebb36a582"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/14d4ac19d1895397532eec407433c5d74d9da53b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3161ef61f121d4573cad5b57c92188dcd9b284b3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4fcfa424a581d823cb1a9676e3eefe6ca17e453a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9a5641024fbfd9b24fe65984ad85fea10a3ae438"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e8ef82cb6443d5f3260b1b830e17f03dda4229ea"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T11:24:59.630846+00:00", "value": {"mitigation_remediation": ["Apply the latest Linux kernel patch that incorporates the fix for this recursive locking issue.", "If a kernel update is not immediately possible, restrict write access to /sys/kernel/config/target to limit the ability to trigger the flaw.", "Monitor system logs and kernel messages for signs of deadlocks or crashes that may indicate exploitation attempts."], "summary": {"action": "Patch Immediately", "impact": "Denial of Service (Kernel Crash)"}, "threat_synthesis": {"affected_systems": "The flaw affects the Linux kernel\u2019s SCSI target subsystem. It was discovered in the source tree prior to the patch that replaced the filp_open call with kern_path. Affected installations are those running older kernel releases that have not yet incorporated the fix, but no explicit version range is provided.", "description_and_impact": "The vulnerability exists in the Linux kernel's SCSI target component. During a configuration write, the module redundantly opens the same configuration file, which causes the fragile semaphore frag_sem to be acquired recursively. This recursive acquisition can lead to a deadlock or a kernel panic, resulting in denial of service on the affected system.", "risk_and_exploitability": "The risk level cannot be quantified with a CVSS score because no numeric data is supplied, but enterprise systems running the vulnerable kernel could be subjected to a denial\u2011of\u2011service event. Exploitation would likely require local privilege or the ability to write to the target configuration filesystem. No evidence of active exploitation or inclusion in the CISA known exploited catalog is available, so the current probability of exploitation is uncertain."}}}}, "created": "2026-03-25T21:15:38.451256+00:00", "updated": "2026-03-25T21:15:38.451308+00:00", "vendors": [], "weaknesses": ["CWE-773"]}