{ "threat_severity" : "Moderate", "public_date" : "2026-03-25T00:00:00Z", "bugzilla" : { "description" : "kernel: scsi: target: Fix recursive locking in __configfs_open_file()", "id" : "2451185", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2451185" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-764", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nscsi: target: Fix recursive locking in __configfs_open_file()\nIn flush_write_buffer, &p->frag_sem is acquired and then the loaded store\nfunction is called, which, here, is target_core_item_dbroot_store(). This\nfunction called filp_open(), following which these functions were called\n(in reverse order), according to the call trace:\ndown_read\n__configfs_open_file\ndo_dentry_open\nvfs_open\ndo_open\npath_openat\ndo_filp_open\nfile_open_name\nfilp_open\ntarget_core_item_dbroot_store\nflush_write_buffer\nconfigfs_write_iter\ntarget_core_item_dbroot_store() tries to validate the new file path by\ntrying to open the file path provided to it; however, in this case, the bug\nreport shows:\ndb_root: not a directory: /sys/kernel/config/target/dbroot\nindicating that the same configfs file was tried to be opened, on which it\nis currently working on. Thus, it is trying to acquire frag_sem semaphore\nof the same file of which it already holds the semaphore obtained in\nflush_write_buffer(), leading to acquiring the semaphore in a nested manner\nand a possibility of recursive locking.\nFix this by modifying target_core_item_dbroot_store() to use kern_path()\ninstead of filp_open() to avoid opening the file using filesystem-specific\nfunction __configfs_open_file(), and further modifying it to make this fix\ncompatible.", "A flaw was found in the Linux kernel's `scsi: target` subsystem. A local user could trigger a recursive locking condition when the `target_core_item_dbroot_store()` function attempts to open a `configfs` file for which it already holds a semaphore. This could lead to a system hang, resulting in a Denial of Service (DoS)." ], "statement" : "This flaw affects systems using SCSI target (LIO) with configfs. The recursive lock occurs when writing to the dbroot configfs attribute with the path pointing to the same configfs file. This causes the frag_sem semaphore to be acquired twice, leading to a deadlock. Exploiting this requires access to the target configfs interface, typically requiring root privileges.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23292\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23292\nhttps://lore.kernel.org/linux-cve-announce/2026032525-CVE-2026-23292-67e8@gregkh/T" ], "name" : "CVE-2026-23292", "csaw" : false }