exit: prevent preemption of oopsing TASK_DEAD task

CVE	CVE-2026-46173
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-28 10:16:32 UTC
Updated	2026-05-30 11:17:24 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: exit: prevent preemption of oopsing TASK_DEAD task When an already-exiting task oopses, make_task_dead() currently calls do_task_dead() with preemption enabled. That is forbidden: do_task_dead() calls __schedule(), which has a comment saying "WARNING: must be called with preemption disabled!". If an oopsing task is preempted in do_task_dead(), between becoming TASK_DEAD and entering the scheduler explicitly, bad things happen: finish_task_switch() assumes that once the scheduler has switched away from a TASK_DEAD task, the task can never run again and its stack is no longer needed; but that assumption apparently doesn't hold if the dead task was preempted (the SM_PREEMPT case). This means that the scheduler ends up repeatedly dropping references on the dead task's stack, which can lead to use-after-free or double-free of the entire task stack; in other words, two tasks can end up running on the same stack, resulting in various kinds of memory corruption. (This does not just affect "recursively oopsing" tasks; it is enough to oops once during task exit, for example in a file_operations::release handler)

Primary CVSS: v3.1 7.8 HIGH from 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS: 0.000180000 probability, percentile 0.051640000 (date 2026-05-29)

Version	Source	Type	Score	Severity	Vector
3.1	416baaa9-dc9f-4396-8d5f-8c081fb06d67	Secondary	7.8	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`
3.1	CNA	DECLARED	7.8	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 7f80a2fd7db9a55894fd841915236aca611291b5 640b4c00fb0e2920327435f6176cbefc3c546165 git	Not specified
CNA	Linux	Linux	affected 7f80a2fd7db9a55894fd841915236aca611291b5 7b2800ba5f5f77a8ee7f4cbadb19cf1264597a34 git	Not specified
CNA	Linux	Linux	affected 7f80a2fd7db9a55894fd841915236aca611291b5 6f49f94f3b11fe8bff1bf2a054143789e76aaf17 git	Not specified
CNA	Linux	Linux	affected 7f80a2fd7db9a55894fd841915236aca611291b5 9756b3db5db6c2f5eccb32dddbd88eb4c54f575e git	Not specified
CNA	Linux	Linux	affected 7f80a2fd7db9a55894fd841915236aca611291b5 c1fa0bb633e4a6b11e83ffc57fa5abe8ebb87891 git	Not specified
CNA	Linux	Linux	affected 5.17	Not specified
CNA	Linux	Linux	unaffected 5.17 semver	Not specified
CNA	Linux	Linux	unaffected 6.6.140 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.88 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.30 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0.7 7.0.* semver	Not specified
CNA	Linux	Linux	unaffected 7.1-rc4 * original_commit_for_fix	Not specified

Reference	Source	Link	Tags
git.kernel.org/stable/c/9756b3db5db6c2f5eccb32dddbd88eb4c54f575e	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/c1fa0bb633e4a6b11e83ffc57fa5abe8ebb87891	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/7b2800ba5f5f77a8ee7f4cbadb19cf1264597a34	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/640b4c00fb0e2920327435f6176cbefc3c546165	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/6f49f94f3b11fe8bff1bf2a054143789e76aaf17	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.