CVE-2026-23356

// PoC Concept: Triggering DRBD IO race condition // This is a conceptual example. Local access is required. #include <stdio.h> #include <fcntl.h> #include <unistd.h> int main() { // Open the DRBD device (requires access permissions) int fd = open("/dev/drbd0", O_RDWR); if (fd < 0) { perror("Failed to open device"); return 1; } char buffer[4096]; // Perform write operations to potentially trigger the nonblock IO path // In a real scenario, specific timing and load are needed to hit the race. for (int i = 0; i < 10000; i++) { pwrite(fd, buffer, sizeof(buffer), 4096 * i); } close(fd); return 0; }

{"cve": {"id": "CVE-2026-23356", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-25T11:16:34.270", "lastModified": "2026-04-24T19:06:21.770", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrbd: fix \"LOGIC BUG\" in drbd_al_begin_io_nonblock()\n\nEven though we check that we \"should\" be able to do lc_get_cumulative()\nwhile holding the device->al_lock spinlock, it may still fail,\nif some other code path decided to do lc_try_lock() with bad timing.\n\nIf that happened, we logged \"LOGIC BUG for enr=...\",\nbut still did not return an error.\n\nThe rest of the code now assumed that this request has references\nfor the relevant activity log extents.\n\nThe implcations are that during an active resync, mutual exclusivity of\nresync versus application IO is not guaranteed. And a potential crash\nat this point may not realizs that these extents could have been target\nof in-flight IO and would need to be resynced just in case.\n\nAlso, once the request completes, it will give up activity log references it\ndoes not even hold, which will trigger a BUG_ON(refcnt == 0) in lc_put().\n\nFix:\n\nDo not crash the kernel for a condition that is harmless during normal\noperation: also catch \"e->refcnt == 0\", not only \"e == NULL\"\nwhen being noisy about \"al_complete_io() called on inactive extent %u\\n\".\n\nAnd do not try to be smart and \"guess\" whether something will work, then\nbe surprised when it does not.\nDeal with the fact that it may or may not work. If it does not, remember a\npossible \"partially in activity log\" state (only possible for requests that\ncross extent boundaries), and return an error code from\ndrbd_al_begin_io_nonblock().\n\nA latter call for the same request will then resume from where we left off."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ndrbd: corrige el 'LOGIC BUG' en drbd_al_begin_io_nonblock()\n\nAunque verificamos que \"deberíamos\" poder hacer lc_get_cumulative() mientras mantenemos el spinlock device-&gt;al_lock, aún puede fallar, si alguna otra ruta de código decidió hacer lc_try_lock() con una sincronización deficiente.\n\nSi eso sucedía, registrábamos 'LOGIC BUG for enr=...', pero aún así no devolvíamos un error.\n\nEl resto del código ahora asumía que esta solicitud tiene referencias para las extensiones de registro de actividad relevantes.\n\nLas implicaciones son que durante una resincronización activa, la exclusividad mutua de la resincronización frente a la E/S de la aplicación no está garantizada. Y un posible fallo en este punto podría no darse cuenta de que estas extensiones podrían haber sido objetivo de E/S en curso y necesitarían ser resincronizadas por si acaso.\n\nAdemás, una vez que la solicitud se completa, liberará referencias del registro de actividad que ni siquiera posee, lo que activará un BUG_ON(refcnt == 0) en lc_put().\n\nSolución:\n\nNo bloquear el kernel por una condición inofensiva durante el funcionamiento normal: también capturar 'e-&gt;refcnt == 0', no solo 'e == NULL' al ser ruidoso sobre 'al_complete_io() called on inactive extent %u\\n'.\n\nY no intentar ser inteligente y \"adivinar\" si algo funcionará, para luego sorprenderse cuando no lo haga.\nAfrontar el hecho de que puede o no funcionar. Si no funciona, recordar un posible estado de 'parcialmente en el registro de actividad' (solo posible para solicitudes que cruzan límites de extensión), y devolver un código de error desde drbd_al_begin_io_nonblock().\n\nUna llamada posterior para la misma solicitud se reanudará desde donde lo dejamos."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-617"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.10.1", "versionEndExcluding": "5.10.253", "matchCriteriaId": "46C43745-1FF5-4C18-BB36-8DD55CD8BD8D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.203", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.167", "matchCriteriaId": "2EDC6 ... (truncated)