CVE-2026-23368 (GCVE-0-2026-23368)
Vulnerability from cvelistv5
Published
2026-03-25 10:27
Modified
2026-04-18 08:58
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: phy: register phy led_triggers during probe to avoid AB-BA deadlock
There is an AB-BA deadlock when both LEDS_TRIGGER_NETDEV and
LED_TRIGGER_PHY are enabled:
[ 1362.049207] [<8054e4b8>] led_trigger_register+0x5c/0x1fc <-- Trying to get lock "triggers_list_lock" via down_write(&triggers_list_lock);
[ 1362.054536] [<80662830>] phy_led_triggers_register+0xd0/0x234
[ 1362.060329] [<8065e200>] phy_attach_direct+0x33c/0x40c
[ 1362.065489] [<80651fc4>] phylink_fwnode_phy_connect+0x15c/0x23c
[ 1362.071480] [<8066ee18>] mtk_open+0x7c/0xba0
[ 1362.075849] [<806d714c>] __dev_open+0x280/0x2b0
[ 1362.080384] [<806d7668>] __dev_change_flags+0x244/0x24c
[ 1362.085598] [<806d7698>] dev_change_flags+0x28/0x78
[ 1362.090528] [<807150e4>] dev_ioctl+0x4c0/0x654 <-- Hold lock "rtnl_mutex" by calling rtnl_lock();
[ 1362.094985] [<80694360>] sock_ioctl+0x2f4/0x4e0
[ 1362.099567] [<802e9c4c>] sys_ioctl+0x32c/0xd8c
[ 1362.104022] [<80014504>] syscall_common+0x34/0x58
Here LED_TRIGGER_PHY is registering LED triggers during phy_attach
while holding RTNL and then taking triggers_list_lock.
[ 1362.191101] [<806c2640>] register_netdevice_notifier+0x60/0x168 <-- Trying to get lock "rtnl_mutex" via rtnl_lock();
[ 1362.197073] [<805504ac>] netdev_trig_activate+0x194/0x1e4
[ 1362.202490] [<8054e28c>] led_trigger_set+0x1d4/0x360 <-- Hold lock "triggers_list_lock" by down_read(&triggers_list_lock);
[ 1362.207511] [<8054eb38>] led_trigger_write+0xd8/0x14c
[ 1362.212566] [<80381d98>] sysfs_kf_bin_write+0x80/0xbc
[ 1362.217688] [<8037fcd8>] kernfs_fop_write_iter+0x17c/0x28c
[ 1362.223174] [<802cbd70>] vfs_write+0x21c/0x3c4
[ 1362.227712] [<802cc0c4>] ksys_write+0x78/0x12c
[ 1362.232164] [<80014504>] syscall_common+0x34/0x58
Here LEDS_TRIGGER_NETDEV is being enabled on an LED. It first takes
triggers_list_lock and then RTNL. A classical AB-BA deadlock.
phy_led_triggers_registers() does not require the RTNL, it does not
make any calls into the network stack which require protection. There
is also no requirement the PHY has been attached to a MAC, the
triggers only make use of phydev state. This allows the call to
phy_led_triggers_registers() to be placed elsewhere. PHY probe() and
release() don't hold RTNL, so solving the AB-BA deadlock.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 06f502f57d0d7728f9fa0f157ec5e4111ddb98f6 Version: 06f502f57d0d7728f9fa0f157ec5e4111ddb98f6 Version: 06f502f57d0d7728f9fa0f157ec5e4111ddb98f6 Version: 06f502f57d0d7728f9fa0f157ec5e4111ddb98f6 Version: 06f502f57d0d7728f9fa0f157ec5e4111ddb98f6 Version: 06f502f57d0d7728f9fa0f157ec5e4111ddb98f6 Version: 06f502f57d0d7728f9fa0f157ec5e4111ddb98f6 Version: 06f502f57d0d7728f9fa0f157ec5e4111ddb98f6 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/phy_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2b01518eabace18f7ec8b4cafd52082303080dca",
"status": "affected",
"version": "06f502f57d0d7728f9fa0f157ec5e4111ddb98f6",
"versionType": "git"
},
{
"lessThan": "305afdd02ff3e694c165457793104710ec0728e5",
"status": "affected",
"version": "06f502f57d0d7728f9fa0f157ec5e4111ddb98f6",
"versionType": "git"
},
{
"lessThan": "c6ffc2d2338d325e1edd0c702e3ee623aa5fdc6a",
"status": "affected",
"version": "06f502f57d0d7728f9fa0f157ec5e4111ddb98f6",
"versionType": "git"
},
{
"lessThan": "c33523b8fd2d4c504ada18cd93f511f2a8f84217",
"status": "affected",
"version": "06f502f57d0d7728f9fa0f157ec5e4111ddb98f6",
"versionType": "git"
},
{
"lessThan": "241cd64cf2e32b28ead151b1795cd8fef2b6e482",
"status": "affected",
"version": "06f502f57d0d7728f9fa0f157ec5e4111ddb98f6",
"versionType": "git"
},
{
"lessThan": "2764dcb3c35de4410f642afc62cf979727470575",
"status": "affected",
"version": "06f502f57d0d7728f9fa0f157ec5e4111ddb98f6",
"versionType": "git"
},
{
"lessThan": "cde2d0b5ab5d03b5b6f17d4f654d8b30ccf36757",
"status": "affected",
"version": "06f502f57d0d7728f9fa0f157ec5e4111ddb98f6",
"versionType": "git"
},
{
"lessThan": "c8dbdc6e380e7e96a51706db3e4b7870d8a9402d",
"status": "affected",
"version": "06f502f57d0d7728f9fa0f157ec5e4111ddb98f6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/phy_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: register phy led_triggers during probe to avoid AB-BA deadlock\n\nThere is an AB-BA deadlock when both LEDS_TRIGGER_NETDEV and\nLED_TRIGGER_PHY are enabled:\n\n[ 1362.049207] [\u003c8054e4b8\u003e] led_trigger_register+0x5c/0x1fc \u003c-- Trying to get lock \"triggers_list_lock\" via down_write(\u0026triggers_list_lock);\n[ 1362.054536] [\u003c80662830\u003e] phy_led_triggers_register+0xd0/0x234\n[ 1362.060329] [\u003c8065e200\u003e] phy_attach_direct+0x33c/0x40c\n[ 1362.065489] [\u003c80651fc4\u003e] phylink_fwnode_phy_connect+0x15c/0x23c\n[ 1362.071480] [\u003c8066ee18\u003e] mtk_open+0x7c/0xba0\n[ 1362.075849] [\u003c806d714c\u003e] __dev_open+0x280/0x2b0\n[ 1362.080384] [\u003c806d7668\u003e] __dev_change_flags+0x244/0x24c\n[ 1362.085598] [\u003c806d7698\u003e] dev_change_flags+0x28/0x78\n[ 1362.090528] [\u003c807150e4\u003e] dev_ioctl+0x4c0/0x654 \u003c-- Hold lock \"rtnl_mutex\" by calling rtnl_lock();\n[ 1362.094985] [\u003c80694360\u003e] sock_ioctl+0x2f4/0x4e0\n[ 1362.099567] [\u003c802e9c4c\u003e] sys_ioctl+0x32c/0xd8c\n[ 1362.104022] [\u003c80014504\u003e] syscall_common+0x34/0x58\n\nHere LED_TRIGGER_PHY is registering LED triggers during phy_attach\nwhile holding RTNL and then taking triggers_list_lock.\n\n[ 1362.191101] [\u003c806c2640\u003e] register_netdevice_notifier+0x60/0x168 \u003c-- Trying to get lock \"rtnl_mutex\" via rtnl_lock();\n[ 1362.197073] [\u003c805504ac\u003e] netdev_trig_activate+0x194/0x1e4\n[ 1362.202490] [\u003c8054e28c\u003e] led_trigger_set+0x1d4/0x360 \u003c-- Hold lock \"triggers_list_lock\" by down_read(\u0026triggers_list_lock);\n[ 1362.207511] [\u003c8054eb38\u003e] led_trigger_write+0xd8/0x14c\n[ 1362.212566] [\u003c80381d98\u003e] sysfs_kf_bin_write+0x80/0xbc\n[ 1362.217688] [\u003c8037fcd8\u003e] kernfs_fop_write_iter+0x17c/0x28c\n[ 1362.223174] [\u003c802cbd70\u003e] vfs_write+0x21c/0x3c4\n[ 1362.227712] [\u003c802cc0c4\u003e] ksys_write+0x78/0x12c\n[ 1362.232164] [\u003c80014504\u003e] syscall_common+0x34/0x58\n\nHere LEDS_TRIGGER_NETDEV is being enabled on an LED. It first takes\ntriggers_list_lock and then RTNL. A classical AB-BA deadlock.\n\nphy_led_triggers_registers() does not require the RTNL, it does not\nmake any calls into the network stack which require protection. There\nis also no requirement the PHY has been attached to a MAC, the\ntriggers only make use of phydev state. This allows the call to\nphy_led_triggers_registers() to be placed elsewhere. PHY probe() and\nrelease() don\u0027t hold RTNL, so solving the AB-BA deadlock."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:16.163Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2b01518eabace18f7ec8b4cafd52082303080dca"
},
{
"url": "https://git.kernel.org/stable/c/305afdd02ff3e694c165457793104710ec0728e5"
},
{
"url": "https://git.kernel.org/stable/c/c6ffc2d2338d325e1edd0c702e3ee623aa5fdc6a"
},
{
"url": "https://git.kernel.org/stable/c/c33523b8fd2d4c504ada18cd93f511f2a8f84217"
},
{
"url": "https://git.kernel.org/stable/c/241cd64cf2e32b28ead151b1795cd8fef2b6e482"
},
{
"url": "https://git.kernel.org/stable/c/2764dcb3c35de4410f642afc62cf979727470575"
},
{
"url": "https://git.kernel.org/stable/c/cde2d0b5ab5d03b5b6f17d4f654d8b30ccf36757"
},
{
"url": "https://git.kernel.org/stable/c/c8dbdc6e380e7e96a51706db3e4b7870d8a9402d"
}
],
"title": "net: phy: register phy led_triggers during probe to avoid AB-BA deadlock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23368",
"datePublished": "2026-03-25T10:27:49.889Z",
"dateReserved": "2026-01-13T15:37:46.003Z",
"dateUpdated": "2026-04-18T08:58:16.163Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…