{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23356", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.000Z", "datePublished": "2026-03-25T10:27:40.454Z", "dateUpdated": "2026-03-25T16:49:14.505Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T16:49:14.505Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrbd: fix \"LOGIC BUG\" in drbd_al_begin_io_nonblock()\n\nEven though we check that we \"should\" be able to do lc_get_cumulative()\nwhile holding the device->al_lock spinlock, it may still fail,\nif some other code path decided to do lc_try_lock() with bad timing.\n\nIf that happened, we logged \"LOGIC BUG for enr=...\",\nbut still did not return an error.\n\nThe rest of the code now assumed that this request has references\nfor the relevant activity log extents.\n\nThe implcations are that during an active resync, mutual exclusivity of\nresync versus application IO is not guaranteed. And a potential crash\nat this point may not realizs that these extents could have been target\nof in-flight IO and would need to be resynced just in case.\n\nAlso, once the request completes, it will give up activity log references it\ndoes not even hold, which will trigger a BUG_ON(refcnt == 0) in lc_put().\n\nFix:\n\nDo not crash the kernel for a condition that is harmless during normal\noperation: also catch \"e->refcnt == 0\", not only \"e == NULL\"\nwhen being noisy about \"al_complete_io() called on inactive extent %u\\n\".\n\nAnd do not try to be smart and \"guess\" whether something will work, then\nbe surprised when it does not.\nDeal with the fact that it may or may not work. If it does not, remember a\npossible \"partially in activity log\" state (only possible for requests that\ncross extent boundaries), and return an error code from\ndrbd_al_begin_io_nonblock().\n\nA latter call for the same request will then resume from where we left off."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/block/drbd/drbd_actlog.c", "drivers/block/drbd/drbd_interval.h"], "versions": [{"version": "08a1ddab6df7d3c7b6341774cb1cf4b21b96a214", "lessThan": "7752569fc78e89794ce28946529850282233f99d", "status": "affected", "versionType": "git"}, {"version": "08a1ddab6df7d3c7b6341774cb1cf4b21b96a214", "lessThan": "e91d8d6565b7819d13dab21d4dbed5b45efba59b", "status": "affected", "versionType": "git"}, {"version": "08a1ddab6df7d3c7b6341774cb1cf4b21b96a214", "lessThan": "eef1390125b660b8b61f9f227a03bb9c5e6d36a5", "status": "affected", "versionType": "git"}, {"version": "08a1ddab6df7d3c7b6341774cb1cf4b21b96a214", "lessThan": "d1ef3aed4df2ef1fe46befd8f2da9a6ec5445508", "status": "affected", "versionType": "git"}, {"version": "08a1ddab6df7d3c7b6341774cb1cf4b21b96a214", "lessThan": "f558e5404a72054b525dced1a0c66aa95a144153", "status": "affected", "versionType": "git"}, {"version": "08a1ddab6df7d3c7b6341774cb1cf4b21b96a214", "lessThan": "ab140365fb62c0bdab22b2f516aff563b2559e3b", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/block/drbd/drbd_actlog.c", "drivers/block/drbd/drbd_interval.h"], "versions": [{"version": "3.10", "status": "affected"}, {"version": "0", "lessThan": "3.10", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.10", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.10", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.10", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.10", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.10", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.10", "versionEndExcluding": "7.0-rc2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/7752569fc78e89794ce28946529850282233f99d"}, {"url": "https://git.kernel.org/stable/c/e91d8d6565b7819d13dab21d4dbed5b45efba59b"}, {"url": "https://git.kernel.org/stable/c/eef1390125b660b8b61f9f227a03bb9c5e6d36a5"}, {"url": "https://git.kernel.org/stable/c/d1ef3aed4df2ef1fe46befd8f2da9a6ec5445508"}, {"url": "https://git.kernel.org/stable/c/f558e5404a72054b525dced1a0c66aa95a144153"}, {"url": "https://git.kernel.org/stable/c/ab140365fb62c0bdab22b2f516aff563b2559e3b"}], "title": "drbd: fix \"LOGIC BUG\" in drbd_al_begin_io_nonblock()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrbd: fix \"LOGIC BUG\" in drbd_al_begin_io_nonblock()\n\nEven though we check that we \"should\" be able to do lc_get_cumulative()\nwhile holding the device->al_lock spinlock, it may still fail,\nif some other code path decided to do lc_try_lock() with bad timing.\n\nIf that happened, we logged \"LOGIC BUG for enr=...\",\nbut still did not return an error.\n\nThe rest of the code now assumed that this request has references\nfor the relevant activity log extents.\n\nThe implcations are that during an active resync, mutual exclusivity of\nresync versus application IO is not guaranteed. And a potential crash\nat this point may not realizs that these extents could have been target\nof in-flight IO and would need to be resynced just in case.\n\nAlso, once the request completes, it will give up activity log references it\ndoes not even hold, which will trigger a BUG_ON(refcnt == 0) in lc_put().\n\nFix:\n\nDo not crash the kernel for a condition that is harmless during normal\noperation: also catch \"e->refcnt == 0\", not only \"e == NULL\"\nwhen being noisy about \"al_complete_io() called on inactive extent %u\\n\".\n\nAnd do not try to be smart and \"guess\" whether something will work, then\nbe surprised when it does not.\nDeal with the fact that it may or may not work. If it does not, remember a\npossible \"partially in activity log\" state (only possible for requests that\ncross extent boundaries), and return an error code from\ndrbd_al_begin_io_nonblock().\n\nA latter call for the same request will then resume from where we left off."}], "id": "CVE-2026-23356", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:34.270", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7752569fc78e89794ce28946529850282233f99d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ab140365fb62c0bdab22b2f516aff563b2559e3b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d1ef3aed4df2ef1fe46befd8f2da9a6ec5445508"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e91d8d6565b7819d13dab21d4dbed5b45efba59b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/eef1390125b660b8b61f9f227a03bb9c5e6d36a5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f558e5404a72054b525dced1a0c66aa95a144153"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T12:27:22.394120+00:00", "value": {"mitigation_remediation": ["Apply a Linux kernel update that contains the commit which fixes drbd_al_begin_io_nonblock().", "Reboot the system after installing the updated kernel to load the patched code.", "If a kernel upgrade is not immediately possible, temporarily disable DRBD resynchronization or pause all DRBD traffic to avoid triggering the logic bug.", "Continuously watch kernel logs for BUG_ON(refcnt == 0) or kernel panic entries and adjust monitoring if the error persists."], "summary": {"action": "Immediate Patch", "impact": "Kernel Crash leading to Denial of Service"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases that contain the pre\u2011fix DRBD implementation are affected. The precise version range is not enumerated, so any kernel that includes the buggy drbd_al_begin_io_nonblock() code prior to the commit that introduces the fix is potentially vulnerable. This includes standard distributions that ship the Linux kernel with DRBD support, regardless of vendor.\n", "description_and_impact": "This logical fault in the Linux kernel\u2019s drbd_al_begin_io_nonblock() routine can trigger a BUG_ON, causing a kernel panic while a DRBD resynchronization or IO operation is in progress. The bug occurs when the code attempts to release activity log references that were never held, which leads to a reference\u2011count underflow and a fatal error. The resulting crash forces a system reboot and can disrupt cluster services that rely on DRBD. Because the condition is only triggered by specific timing during active resync, normal usage does not normally reveal the flaw, but the crash path is fully exercised once the code path is hit.\n", "risk_and_exploitability": "The CVSS score is not supplied, and EPSS data is unavailable. However, the vulnerability admits a severe outcome: a local kernel crash that can be observed as a panic message and requires a reboot. The likely attack vector involves initiating or manipulating DRBD resynchronization or heavy application IO that exercises the faulty routine; this generally requires local or privileged access to the node or an exploited remote peer that can trigger a resync. The risk is high when the vulnerable code is reachable, as the crash is unavoidable once the condition is met.\n"}}}}, "created": "2026-03-25T21:31:59.378355+00:00", "updated": "2026-03-25T21:31:59.378386+00:00", "vendors": [], "weaknesses": ["CWE-665"]}