{
  "threat_severity" : "Moderate",
  "public_date" : "2026-04-24T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: nvmet: move async event work off nvmet-wq",
    "id" : "2461463",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2461463"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-833",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnvmet: move async event work off nvmet-wq\nFor target nvmet_ctrl_free() flushes ctrl->async_event_work.\nIf nvmet_ctrl_free() runs on nvmet-wq, the flush re-enters workqueue\ncompletion for the same worker:-\nA. Async event work queued on nvmet-wq (prior to disconnect):\nnvmet_execute_async_event()\nqueue_work(nvmet_wq, &ctrl->async_event_work)\nnvmet_add_async_event()\nqueue_work(nvmet_wq, &ctrl->async_event_work)\nB. Full pre-work chain (RDMA CM path):\nnvmet_rdma_cm_handler()\nnvmet_rdma_queue_disconnect()\n__nvmet_rdma_queue_disconnect()\nqueue_work(nvmet_wq, &queue->release_work)\nprocess_one_work()\nlock((wq_completion)nvmet-wq)  <--------- 1st\nnvmet_rdma_release_queue_work()\nC. Recursive path (same worker):\nnvmet_rdma_release_queue_work()\nnvmet_rdma_free_queue()\nnvmet_sq_destroy()\nnvmet_ctrl_put()\nnvmet_ctrl_free()\nflush_work(&ctrl->async_event_work)\n__flush_work()\ntouch_wq_lockdep_map()\nlock((wq_completion)nvmet-wq) <--------- 2nd\nLockdep splat:\n============================================\nWARNING: possible recursive locking detected\n6.19.0-rc3nvme+ #14 Tainted: G                 N\n--------------------------------------------\nkworker/u192:42/44933 is trying to acquire lock:\nffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26/0x90\nbut task is already holding lock:\nffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x53e/0x660\n3 locks held by kworker/u192:42/44933:\n#0: ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x53e/0x660\n#1: ffffc9000e6cbe28 ((work_completion)(&queue->release_work)){+.+.}-{0:0}, at: process_one_work+0x1c5/0x660\n#2: ffffffff82d4db60 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x62/0x530\nWorkqueue: nvmet-wq nvmet_rdma_release_queue_work [nvmet_rdma]\nCall Trace:\n__flush_work+0x268/0x530\nnvmet_ctrl_free+0x140/0x310 [nvmet]\nnvmet_cq_put+0x74/0x90 [nvmet]\nnvmet_rdma_free_queue+0x23/0xe0 [nvmet_rdma]\nnvmet_rdma_release_queue_work+0x19/0x50 [nvmet_rdma]\nprocess_one_work+0x206/0x660\nworker_thread+0x184/0x320\nkthread+0x10c/0x240\nret_from_fork+0x319/0x390\nMove async event work to a dedicated nvmet-aen-wq to avoid reentrant\nflush on nvmet-wq.", "A flaw was found in the Linux kernel, specifically within the NVMe over Fabrics (NVMe-oF) target's nvmet and nvmet_rdma modules. A local attacker could potentially trigger a recursive locking condition in the nvmet-wq workqueue during asynchronous event processing. This issue arises when nvmet_ctrl_free() attempts to flush an asynchronous event work while already executing on the same workqueue, leading to a deadlock. The most important consequence is a Denial of Service (DoS), causing system instability or unresponsiveness." ],
  "statement" : "NVMe-oF target async events were moved off the shared workqueue to avoid a lock recursion (`nvmet_rdma` vs `nvmet` work). Red Hat advises NVMe target operators to patch; exposure is limited to configurations exporting namespaces over fabrics.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31557\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31557\nhttps://lore.kernel.org/linux-cve-announce/2026042457-CVE-2026-31557-dca7@gregkh/T" ],
  "name" : "CVE-2026-31557",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent the nvmet module from being loaded. See https://access.redhat.com/solutions/41278 for instructions.",
    "lang" : "en:us"
  },
  "csaw" : false
}