CVE-2026-46298: Linux PAPR HVPIPE Race Condition Denial of Service
A race condition exists in the Linux kernel's PAPR HVPIPE driver that can cause a system deadlock. The vulnerability occurs when an interrupt fires on the same CPU while the driver's ioctl or release handlers are executing. If both try to acquire the same lock simultaneously, the system can become unresponsive. The issue is resolved by using interrupt-safe lock primitives that prevent interrupts from firing during critical sections, eliminating the deadlock scenario. This is primarily a local denial of service affecting systems running vulnerable kernel versions.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.7 MEDIUM · CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-362
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-07-08
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: pseries/papr-hvpipe: Fix race with interrupt handler While executing ->ioctl handler or ->release handler, if an interrupt fires on the same cpu, then we can enter into a deadlock. This patch fixes both these handlers to take spin_lock_irq{save|restore} versions of the lock to prevent this deadlock.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46298 addresses a race condition (CWE-362) in the pseries/papr-hvpipe driver within the Linux kernel. The vulnerability exists in the interaction between the ioctl and release handler code paths and interrupt handlers executing on the same CPU. When an interrupt fires while these handlers hold a spinlock using standard spin_lock mechanisms, the interrupt handler attempting to acquire the same lock creates a deadlock condition since spinlocks cannot be preempted. The fix involves replacing spin_lock calls with spin_lock_irqsave in the ioctl handler and spin_lock_irq in the release handler, ensuring interrupts are disabled during critical sections and preventing the race. This aligns with standard kernel locking best practices for code that can be interrupted.
Business impact
Organizations running Linux systems with PAPR HVPIPE driver enabled (primarily IBM POWER-based architectures) face localized denial of service risk. A local user with sufficient privileges can trigger the race condition, causing kernel hangs that require system restart. While not directly enabling data breach or privilege escalation, the availability impact can disrupt services on affected infrastructure. Systems in hybrid cloud environments using IBM POWER systems, particularly those handling time-sensitive workloads, should prioritize remediation to maintain SLA compliance.
Affected systems
The vulnerability affects the Linux kernel across multiple versions prior to the fix implementation. The PAPR HVPIPE driver is specific to POWER architecture systems (IBM POWER7 and later), used in enterprise servers and cloud deployments. Systems running Linux on x86, ARM, or other non-POWER architectures are not affected. Check your kernel version and architecture to determine exposure; POWER-based deployments including IBM PowerVM, PowerKVM, and related virtualization platforms are in scope.
Exploitability
Exploitation requires local system access and typically requires the attacker to hold user-level or higher privileges to interact with the driver's ioctl interface. No special tools or public exploits are required beyond triggering specific ioctl calls while monitoring for interrupt timing—the race condition occurs naturally under certain I/O and interrupt load conditions. The attack does not require elevated privileges initially but does require capability to access the HVPIPE device. The CVSS 4.7 MEDIUM score reflects the local attack vector and high privilege requirement, though the availability impact is severe for affected users.
Remediation
Update to a patched Linux kernel version that includes the race condition fix for the pseries/papr-hvpipe driver. Verify your specific kernel distribution and POWER architecture variant for the corresponding patched release. Interim mitigation involves limiting local user access to HVPIPE device files through file permissions and access controls, though this may impact legitimate driver functionality. Test patches in non-production environments first, as kernel updates require system restart.
Patch guidance
Coordinate with your Linux distribution vendor (Red Hat Enterprise Linux, SUSE Linux Enterprise Server, Canonical Ubuntu, or others) to obtain the patched kernel version addressing CVE-2026-46298. Verify the patch is included by checking kernel changelogs or release notes for mentions of 'pseries/papr-hvpipe' or 'race condition' fixes. Schedule kernel patching during your standard maintenance window; most organizations apply kernel updates during planned downtime to avoid unscheduled restarts. Test the patched kernel in a staging environment mirroring your production POWER architecture configuration before broad deployment.
Detection guidance
Monitor kernel logs for signs of the race condition: look for soft lockup warnings, RCU stall messages, or watchdog timeout events that correlate with HVPIPE driver activity. Tools like perf or trace-cmd can help correlate interrupt timing with ioctl calls. On affected systems, elevated interrupt load combined with HVPIPE driver use may precede hangs. System monitoring should track kernel panic or hang events on POWER-based systems. If you suspect exploitation or exposure, verify your kernel version against vendor advisories and check loaded driver modules to confirm PAPR HVPIPE presence.
Why prioritize this
Although assigned a MEDIUM CVSS score, this vulnerability warrants prompt attention for POWER-based infrastructure due to the high availability impact of kernel hangs. The fix is straightforward and well-understood (interrupt-safe locking), reducing deployment risk. Organizations should prioritize this alongside other kernel race condition fixes in their patch cycles, particularly if running production workloads on IBM POWER systems. The lack of widespread exploitation data should not delay patching, as the technical mechanism is well-documented.
Risk score, explained
The CVSS 4.7 score reflects: local attack vector (AV:L) requiring direct system access; high complexity (AC:H) due to race condition timing dependencies; low privilege requirement (PR:L) for device access; no confidentiality or integrity impact; and high availability impact (A:H) from denial of service via kernel hang. The score does not fully capture infrastructure-specific severity for organizations heavily invested in POWER architecture, where kernel hangs directly impact business continuity.
Frequently asked questions
Do non-POWER Linux systems need to patch this vulnerability?
No. CVE-2026-46298 affects only the PAPR HVPIPE driver, which is specific to IBM POWER-based architectures. Systems running Linux on x86, ARM, or other architectures are not vulnerable and do not require this patch.
Can this vulnerability be exploited remotely?
No. The vulnerability requires local system access and the ability to interact with the HVPIPE device driver. Remote exploitation is not possible. The local privilege requirement (PR:L) means the attacker must already have a foothold on the system.
What happens if I do not patch this vulnerability?
Vulnerable systems remain susceptible to denial of service attacks triggering kernel hangs. An attacker with local access can cause the system to become unresponsive, requiring a reboot to recover. This impacts availability but does not lead to data theft or privilege escalation.
Is there a temporary workaround if I cannot patch immediately?
Restrict access to HVPIPE device files using file system permissions to limit local user access. However, this may impact applications that depend on the driver. Patching remains the proper solution; workarounds are not recommended for production systems with legitimate driver use.
This analysis is provided for informational purposes based on available technical data as of the publication date. Actual exploitation risk, affected versions, and patch availability vary by Linux distribution and deployment configuration. Organizations should verify their specific kernel version, POWER architecture variant, and vendor patch status directly with their distribution provider before implementing remediation. No exploit code or detailed attack procedures are provided. Always test patches in non-production environments first. SEC.co makes no guarantees regarding the completeness or accuracy of this assessment for your specific infrastructure. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11253MEDIUMChrome Permissions Flaw Allows Cross-Origin Data Leak
- CVE-2026-46187MEDIUMLinux RSI Driver Use-After-Free Vulnerability (CVSS 4.7)
- CVE-2026-46272MEDIUMLinux CoreSight TMC-ETR Race Condition DoS
- CVE-2026-10006HIGHChrome WebAudio Race Condition Remote Code Execution
- CVE-2026-46157HIGHLinux Kernel ALSA PCM OSS Data Race Vulnerability
- CVE-2026-46275HIGHLinux Kernel Bluetooth HCI UART Use-After-Free & Race Condition Vulnerability
- CVE-2026-11145MEDIUMChrome Android Geolocation Race Condition Data Leak
- CVE-2026-47741MEDIUMShopper Discount Over-Redemption Race Condition (MEDIUM)