CVE-2026-23356 (GCVE-0-2026-23356)

Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-04-18 08:58
VLAI?
Title
drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock()
Summary
In the Linux kernel, the following vulnerability has been resolved: drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock() Even though we check that we "should" be able to do lc_get_cumulative() while holding the device->al_lock spinlock, it may still fail, if some other code path decided to do lc_try_lock() with bad timing. If that happened, we logged "LOGIC BUG for enr=...", but still did not return an error. The rest of the code now assumed that this request has references for the relevant activity log extents. The implcations are that during an active resync, mutual exclusivity of resync versus application IO is not guaranteed. And a potential crash at this point may not realizs that these extents could have been target of in-flight IO and would need to be resynced just in case. Also, once the request completes, it will give up activity log references it does not even hold, which will trigger a BUG_ON(refcnt == 0) in lc_put(). Fix: Do not crash the kernel for a condition that is harmless during normal operation: also catch "e->refcnt == 0", not only "e == NULL" when being noisy about "al_complete_io() called on inactive extent %u\n". And do not try to be smart and "guess" whether something will work, then be surprised when it does not. Deal with the fact that it may or may not work. If it does not, remember a possible "partially in activity log" state (only possible for requests that cross extent boundaries), and return an error code from drbd_al_begin_io_nonblock(). A latter call for the same request will then resume from where we left off.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 08a1ddab6df7d3c7b6341774cb1cf4b21b96a214 , < 933d161baa3794547adee621c0bf52cbf2c1b3cd (git)
Affected: 08a1ddab6df7d3c7b6341774cb1cf4b21b96a214 , < cf01aa6288e1190f89865e765056e2a9d8190639 (git)
Affected: 08a1ddab6df7d3c7b6341774cb1cf4b21b96a214 , < 7752569fc78e89794ce28946529850282233f99d (git)
Affected: 08a1ddab6df7d3c7b6341774cb1cf4b21b96a214 , < e91d8d6565b7819d13dab21d4dbed5b45efba59b (git)
Affected: 08a1ddab6df7d3c7b6341774cb1cf4b21b96a214 , < eef1390125b660b8b61f9f227a03bb9c5e6d36a5 (git)
Affected: 08a1ddab6df7d3c7b6341774cb1cf4b21b96a214 , < d1ef3aed4df2ef1fe46befd8f2da9a6ec5445508 (git)
Affected: 08a1ddab6df7d3c7b6341774cb1cf4b21b96a214 , < f558e5404a72054b525dced1a0c66aa95a144153 (git)
Affected: 08a1ddab6df7d3c7b6341774cb1cf4b21b96a214 , < ab140365fb62c0bdab22b2f516aff563b2559e3b (git)
Create a notification for this product.
    Linux Linux Affected: 3.10
Unaffected: 0 , < 3.10 (semver)
Unaffected: 5.10.253 , ≤ 5.10.* (semver)
Unaffected: 5.15.203 , ≤ 5.15.* (semver)
Unaffected: 6.1.167 , ≤ 6.1.* (semver)
Unaffected: 6.6.130 , ≤ 6.6.* (semver)
Unaffected: 6.12.77 , ≤ 6.12.* (semver)
Unaffected: 6.18.17 , ≤ 6.18.* (semver)
Unaffected: 6.19.7 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/drbd/drbd_actlog.c",
            "drivers/block/drbd/drbd_interval.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "933d161baa3794547adee621c0bf52cbf2c1b3cd",
              "status": "affected",
              "version": "08a1ddab6df7d3c7b6341774cb1cf4b21b96a214",
              "versionType": "git"
            },
            {
              "lessThan": "cf01aa6288e1190f89865e765056e2a9d8190639",
              "status": "affected",
              "version": "08a1ddab6df7d3c7b6341774cb1cf4b21b96a214",
              "versionType": "git"
            },
            {
              "lessThan": "7752569fc78e89794ce28946529850282233f99d",
              "status": "affected",
              "version": "08a1ddab6df7d3c7b6341774cb1cf4b21b96a214",
              "versionType": "git"
            },
            {
              "lessThan": "e91d8d6565b7819d13dab21d4dbed5b45efba59b",
              "status": "affected",
              "version": "08a1ddab6df7d3c7b6341774cb1cf4b21b96a214",
              "versionType": "git"
            },
            {
              "lessThan": "eef1390125b660b8b61f9f227a03bb9c5e6d36a5",
              "status": "affected",
              "version": "08a1ddab6df7d3c7b6341774cb1cf4b21b96a214",
              "versionType": "git"
            },
            {
              "lessThan": "d1ef3aed4df2ef1fe46befd8f2da9a6ec5445508",
              "status": "affected",
              "version": "08a1ddab6df7d3c7b6341774cb1cf4b21b96a214",
              "versionType": "git"
            },
            {
              "lessThan": "f558e5404a72054b525dced1a0c66aa95a144153",
              "status": "affected",
              "version": "08a1ddab6df7d3c7b6341774cb1cf4b21b96a214",
              "versionType": "git"
            },
            {
              "lessThan": "ab140365fb62c0bdab22b2f516aff563b2559e3b",
              "status": "affected",
              "version": "08a1ddab6df7d3c7b6341774cb1cf4b21b96a214",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/drbd/drbd_actlog.c",
            "drivers/block/drbd/drbd_interval.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.10"
            },
            {
              "lessThan": "3.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.253",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.203",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.167",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.77",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.253",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.203",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.167",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.130",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.77",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.17",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.7",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrbd: fix \"LOGIC BUG\" in drbd_al_begin_io_nonblock()\n\nEven though we check that we \"should\" be able to do lc_get_cumulative()\nwhile holding the device-\u003eal_lock spinlock, it may still fail,\nif some other code path decided to do lc_try_lock() with bad timing.\n\nIf that happened, we logged \"LOGIC BUG for enr=...\",\nbut still did not return an error.\n\nThe rest of the code now assumed that this request has references\nfor the relevant activity log extents.\n\nThe implcations are that during an active resync, mutual exclusivity of\nresync versus application IO is not guaranteed. And a potential crash\nat this point may not realizs that these extents could have been target\nof in-flight IO and would need to be resynced just in case.\n\nAlso, once the request completes, it will give up activity log references it\ndoes not even hold, which will trigger a BUG_ON(refcnt == 0) in lc_put().\n\nFix:\n\nDo not crash the kernel for a condition that is harmless during normal\noperation: also catch \"e-\u003erefcnt == 0\", not only \"e == NULL\"\nwhen being noisy about \"al_complete_io() called on inactive extent %u\\n\".\n\nAnd do not try to be smart and \"guess\" whether something will work, then\nbe surprised when it does not.\nDeal with the fact that it may or may not work.  If it does not, remember a\npossible \"partially in activity log\" state (only possible for requests that\ncross extent boundaries), and return an error code from\ndrbd_al_begin_io_nonblock().\n\nA latter call for the same request will then resume from where we left off."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-18T08:58:08.080Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/933d161baa3794547adee621c0bf52cbf2c1b3cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/cf01aa6288e1190f89865e765056e2a9d8190639"
        },
        {
          "url": "https://git.kernel.org/stable/c/7752569fc78e89794ce28946529850282233f99d"
        },
        {
          "url": "https://git.kernel.org/stable/c/e91d8d6565b7819d13dab21d4dbed5b45efba59b"
        },
        {
          "url": "https://git.kernel.org/stable/c/eef1390125b660b8b61f9f227a03bb9c5e6d36a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/d1ef3aed4df2ef1fe46befd8f2da9a6ec5445508"
        },
        {
          "url": "https://git.kernel.org/stable/c/f558e5404a72054b525dced1a0c66aa95a144153"
        },
        {
          "url": "https://git.kernel.org/stable/c/ab140365fb62c0bdab22b2f516aff563b2559e3b"
        }
      ],
      "title": "drbd: fix \"LOGIC BUG\" in drbd_al_begin_io_nonblock()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23356",
    "datePublished": "2026-03-25T10:27:40.454Z",
    "dateReserved": "2026-01-13T15:37:46.000Z",
    "dateUpdated": "2026-04-18T08:58:08.080Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-23356",
      "date": "2026-04-24",
      "epss": "0.00032",
      "percentile": "0.09294"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23356\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-03-25T11:16:34.270\",\"lastModified\":\"2026-04-18T09:16:20.740\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrbd: fix \\\"LOGIC BUG\\\" in drbd_al_begin_io_nonblock()\\n\\nEven though we check that we \\\"should\\\" be able to do lc_get_cumulative()\\nwhile holding the device-\u003eal_lock spinlock, it may still fail,\\nif some other code path decided to do lc_try_lock() with bad timing.\\n\\nIf that happened, we logged \\\"LOGIC BUG for enr=...\\\",\\nbut still did not return an error.\\n\\nThe rest of the code now assumed that this request has references\\nfor the relevant activity log extents.\\n\\nThe implcations are that during an active resync, mutual exclusivity of\\nresync versus application IO is not guaranteed. And a potential crash\\nat this point may not realizs that these extents could have been target\\nof in-flight IO and would need to be resynced just in case.\\n\\nAlso, once the request completes, it will give up activity log references it\\ndoes not even hold, which will trigger a BUG_ON(refcnt == 0) in lc_put().\\n\\nFix:\\n\\nDo not crash the kernel for a condition that is harmless during normal\\noperation: also catch \\\"e-\u003erefcnt == 0\\\", not only \\\"e == NULL\\\"\\nwhen being noisy about \\\"al_complete_io() called on inactive extent %u\\\\n\\\".\\n\\nAnd do not try to be smart and \\\"guess\\\" whether something will work, then\\nbe surprised when it does not.\\nDeal with the fact that it may or may not work.  If it does not, remember a\\npossible \\\"partially in activity log\\\" state (only possible for requests that\\ncross extent boundaries), and return an error code from\\ndrbd_al_begin_io_nonblock().\\n\\nA latter call for the same request will then resume from where we left off.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\\n\\ndrbd: corrige el \u0027LOGIC BUG\u0027 en drbd_al_begin_io_nonblock()\\n\\nAunque verificamos que \\\"deber\u00edamos\\\" poder hacer lc_get_cumulative() mientras mantenemos el spinlock device-\u0026gt;al_lock, a\u00fan puede fallar, si alguna otra ruta de c\u00f3digo decidi\u00f3 hacer lc_try_lock() con una sincronizaci\u00f3n deficiente.\\n\\nSi eso suced\u00eda, registr\u00e1bamos \u0027LOGIC BUG for enr=...\u0027, pero a\u00fan as\u00ed no devolv\u00edamos un error.\\n\\nEl resto del c\u00f3digo ahora asum\u00eda que esta solicitud tiene referencias para las extensiones de registro de actividad relevantes.\\n\\nLas implicaciones son que durante una resincronizaci\u00f3n activa, la exclusividad mutua de la resincronizaci\u00f3n frente a la E/S de la aplicaci\u00f3n no est\u00e1 garantizada. Y un posible fallo en este punto podr\u00eda no darse cuenta de que estas extensiones podr\u00edan haber sido objetivo de E/S en curso y necesitar\u00edan ser resincronizadas por si acaso.\\n\\nAdem\u00e1s, una vez que la solicitud se completa, liberar\u00e1 referencias del registro de actividad que ni siquiera posee, lo que activar\u00e1 un BUG_ON(refcnt == 0) en lc_put().\\n\\nSoluci\u00f3n:\\n\\nNo bloquear el kernel por una condici\u00f3n inofensiva durante el funcionamiento normal: tambi\u00e9n capturar \u0027e-\u0026gt;refcnt == 0\u0027, no solo \u0027e == NULL\u0027 al ser ruidoso sobre \u0027al_complete_io() called on inactive extent %u\\\\n\u0027.\\n\\nY no intentar ser inteligente y \\\"adivinar\\\" si algo funcionar\u00e1, para luego sorprenderse cuando no lo haga.\\nAfrontar el hecho de que puede o no funcionar. Si no funciona, recordar un posible estado de \u0027parcialmente en el registro de actividad\u0027 (solo posible para solicitudes que cruzan l\u00edmites de extensi\u00f3n), y devolver un c\u00f3digo de error desde drbd_al_begin_io_nonblock().\\n\\nUna llamada posterior para la misma solicitud se reanudar\u00e1 desde donde lo dejamos.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/7752569fc78e89794ce28946529850282233f99d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/933d161baa3794547adee621c0bf52cbf2c1b3cd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ab140365fb62c0bdab22b2f516aff563b2559e3b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/cf01aa6288e1190f89865e765056e2a9d8190639\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d1ef3aed4df2ef1fe46befd8f2da9a6ec5445508\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e91d8d6565b7819d13dab21d4dbed5b45efba59b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/eef1390125b660b8b61f9f227a03bb9c5e6d36a5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f558e5404a72054b525dced1a0c66aa95a144153\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.