HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45955Published Modified CNA Linux

CVE-2026-45955: md/md-llbitmap: fix percpu_ref not resurrected on suspend timeout

In the Linux kernel, the following vulnerability has been resolved: md/md-llbitmap: fix percpu_ref not resurrected on suspend timeout When llbitmap_suspend_timeout() times out waiting for percpu_ref to become zero, it returns -ETIMEDOUT without resurrecting the percpu_ref. The caller (md_llbitmap_daemon_fn) then continues to the next page without calling llbitmap_resume(), leaving the percpu_ref in a killed state permanently. Fix this by resurrecting the percpu_ref before returning the error, ensuring the page control structure remains usable for subsequent operations.

Metrics

CVSS v3.1
7.1
Severity
HIGH
Fixed in
0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a resource-lifecycle bug in the Linux kernel's md/md-llbitmap subsystem, a component that manages write-intent bitmaps for software RAID arrays. An attacker with a low-privilege local account can trigger the defect, which leaves an internal reference counter (percpu_ref) in a permanently killed state after a suspend timeout, corrupting the RAID bitmap page control structure. Successful exploitation allows the attacker to tamper with RAID bitmap integrity and crash the affected subsystem, resulting in data tampering and denial of service. A patched-image rebuild at the fix versions is available on HarborGuard for environments running an affected kernel.

HarborGuard Coverage

Detection

Detection of CVE-2026-45955 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that carry an affected kernel version.

Available
Triage

Triage is available using the CVSS v3.1 score of 7.1 (HIGH), weighted further by any per-environment compliance policies the customer has configured; findings are routed to the appropriate team inbox within each customer organization based on those policies.

Available
Patch

A patched-image rebuild at the fix versions (6.18.14, 6.19.4, and the upstream commit references) is available on HarborGuard for any image found running an affected kernel. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs regression tests, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network path is required to reach the vulnerable code.

  • AuthenticationRequired

    Any low-privilege local account is sufficient to trigger the defect; no administrative credentials are needed.

  • Victim interactionNot required

    No user interaction is required; the attacker can trigger the fault independently.

  • Attack complexityDetail

    The exploit is reliable and condition-free once local access is established; no race conditions or special memory layout is required.

Blast Radius

  • Modifies RAID write-intent bitmap structures, corrupting the record of which disk blocks need to be resynced after an unclean shutdown.
  • Permanently kills an internal reference counter (percpu_ref), making the affected bitmap page control structure unusable for any subsequent RAID operations.
  • Crashes the md-llbitmap subsystem, causing denial of service for the software RAID array managed by that bitmap.
  • Does not expose confidential data; impact is limited to integrity and availability of the RAID subsystem.

How HarborGuard Handles This

Available on HarborGuard: images containing an affected Linux kernel version are flagged at ingest, matched against the published fix commits and stable release versions (6.18.14 and 6.19.4). Where compliance policy permits, auto-remediation customers receive a rebuilt image based on a patched kernel, a regression-test run against that image, and a pull request opened against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For customers who have not enabled auto-remediation, the finding appears in the dashboard with severity HIGH and recommended fix versions noted. As a compensating control while a kernel update is scheduled, consider isolating hosts running software RAID from untrusted local users via namespace or cgroup restrictions to reduce the pool of accounts that can reach the vulnerable code path.

See how HarborGuard automates this

Fix available

0095417d6b669c2dec39a5842ccb94df915f97f542446d099350185caeed19ab2c0270451a97296fb6.18.146.19.47.0d119bd2e1643cc023210ff3c6f0657e4f914e71d
Affected packages
  • Linux / Linux
    < 095417d6b669c2dec39a5842ccb94df915f97f54 (from 5ab829f1971dc99f2aac10846c378e67fc875abc) · < 2446d099350185caeed19ab2c0270451a97296fb (from 5ab829f1971dc99f2aac10846c378e67fc875abc) · < d119bd2e1643cc023210ff3c6f0657e4f914e71d (from 5ab829f1971dc99f2aac10846c378e67fc875abc)
  • Linux / Linux
    6.18
    Fixed in 0, 6.18.14, 6.19.4, 7.0
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
References