CVE-2026-46327: Linux Kernel Device Mapper Race Condition Vulnerability
A timing vulnerability exists in the Linux kernel's device mapper (dm) subsystem where a race condition can occur between checking if a device is suspended and actually retrieving its active table. An unprivileged local user could potentially exploit this gap to access a device after it appears suspended, leading to data corruption or privilege escalation. The fix reorders the operations to ensure the device cannot transition to suspended state between the safety check and table access.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- —
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-08
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: dm: fix unlocked test for dm_suspended_md The function dm_blk_report_zones tests if the device is suspended with the "dm_suspended_md" call. However, this function is called without holding any locks, so the device may be suspended just after it. Move the call to dm_suspended_md after dm_get_live_table, so that the device can't be suspended after the suspended state was tested.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46327 is a race condition in the Linux kernel's dm_blk_report_zones function. The vulnerability stems from an unlocked test of dm_suspended_md that occurs before dm_get_live_table is called. An attacker can exploit the window between the suspension check and table acquisition to cause the device to become suspended, potentially leading to use-after-free conditions or accessing invalid table pointers. The fix moves the dm_suspended_md call after dm_get_live_table, ensuring proper synchronization and preventing the device from transitioning to a suspended state during the critical section.
Business impact
Successful exploitation could allow local attackers to corrupt data on device mapper volumes, cause kernel crashes, or potentially escalate privileges on affected systems. For organizations running virtualization platforms, storage services, or container infrastructure that rely on the device mapper for logical volume management, this could disrupt service availability and compromise data integrity.
Affected systems
The Linux kernel device mapper subsystem is affected. Any system using device mapper for LVM, LUKS, or other block device management is potentially vulnerable. The vulnerability requires local access and unprivileged user privileges, limiting the attack surface to systems where local user accounts exist.
Exploitability
Exploitation requires local system access with unprivileged user privileges. An attacker must trigger dm_blk_report_zones while racing a device suspension event, which demands precise timing but is feasible given the relatively large window between the unprotected check and lock acquisition. No special knowledge of kernel internals or debugging capabilities is required.
Remediation
Affected systems should update the Linux kernel to a version containing the fix. The patch involves moving the dm_suspended_md check to occur after dm_get_live_table acquisition, ensuring proper locking prevents the race condition. Verify specific patched kernel versions against your Linux distribution's security advisories.
Patch guidance
Consult your Linux distribution's security updates for patched kernel versions that address this vulnerability. Major distributions (Red Hat, Debian, Ubuntu, SUSE) maintain their own kernel patching schedules and backport policies. Update to the latest stable or long-term support kernel version available for your platform. Test kernel updates in a non-production environment before deployment to ensure compatibility with your workloads.
Detection guidance
Monitor system logs for device mapper errors or kernel warnings related to suspension state transitions. In production, track dm device access patterns and look for anomalous zone reporting calls. Kernel-based security monitoring (eBPF, auditd) can log device mapper operations. Correlate any detected activity with timeline analysis of when devices were suspended or offline.
Why prioritize this
This vulnerability scores 7.8 (HIGH severity) with local attack vector. While it requires local user access and unprivileged privileges, the potential for privilege escalation and data corruption on critical storage infrastructure warrants prompt patching. Organizations with multi-tenant systems or significant local user populations should prioritize remediation.
Risk score, explained
The CVSS 3.1 score of 7.8 reflects: Local attack vector (not network-exploitable), Low complexity (race condition timing is achievable), Low privilege requirements, High impact across confidentiality, integrity, and availability. The primary limiting factors are the requirement for local access and the need for precise race condition timing.
Frequently asked questions
Can this be exploited remotely?
No. The vulnerability requires local system access with at least unprivileged user privileges. Remote attackers cannot trigger this condition.
Does this affect all device mapper users?
Any system using the Linux kernel's device mapper subsystem could be vulnerable, including those using LVM, LUKS encryption, or containerized environments. However, the attacker must have local user access to the system.
What is the actual impact if exploited?
An attacker could corrupt data on device mapper volumes, crash the kernel, or potentially escalate privileges. The exact impact depends on the workload and how the device mapper is configured, but integrity and availability are the primary concerns.
Is there a workaround if I cannot patch immediately?
Restrict local user access to affected systems where possible. Disable zone reporting features if not required for your workload. However, patching is the definitive remediation; workarounds only reduce attack surface, not risk.
This analysis is based on the CVE description and CVSS scoring as of the publication date. Exploitation complexity and actual impact may vary based on specific kernel configurations, distribution patches, and system architecture. Organizations should verify patched kernel versions against their distribution's official security advisories. This information is for defensive security purposes and is not intended to facilitate unauthorized access to systems. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Affected vendors
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10006HIGHChrome WebAudio Race Condition Remote Code Execution
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10009HIGHChrome Skia Integer Overflow Sandbox Escape – Patch Guidance
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment