CVE-2026-23434
Published: 03 April 2026
Summary
CVE-2026-23434 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Endpoint Denial of Service (T1499); ranked at the 9.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2026-23434 is a race condition vulnerability in the Linux kernel's MTD raw NAND subsystem. Specifically, the nand_lock() and nand_unlock() functions invoke chip->ops.lock_area/unlock_area without acquiring the NAND device lock. On controllers implementing SET_FEATURES through multiple low-level PIO commands, this allows races with concurrent UBI/UBIFS background erase or write operations that hold the device lock, leading to cmd_pending conflicts on the NAND controller. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).
A local attacker with low privileges can exploit this issue with low complexity and no user interaction required. Exploitation triggers the race condition during concurrent NAND operations, resulting in high integrity and high availability impacts, such as cmd_pending conflicts that disrupt controller access and potentially corrupt NAND operations.
Mitigation involves applying upstream kernel patches that wrap the lock/unlock operations with nand_get_device() and nand_release_device() calls to serialize them against all other NAND controller accesses. Relevant stable branch commits are available at https://git.kernel.org/stable/c/28ea836cc44cb8b89c1c174707ead0c1133c60e9, https://git.kernel.org/stable/c/5fd5c078af23cb353507aa522e09d557d7eaef04, https://git.kernel.org/stable/c/a80291e577b44593a724d6cd64c14337c78f194d, https://git.kernel.org/stable/c/bab2bc6e850a697a23b9e5f0e21bb8c187615e95, and https://git.kernel.org/stable/c/ce5229e78078e437704157eb542f43a6f83b429b.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-18673
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: serialize lock/unlock against other NAND operations nand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area without holding the NAND device lock. On controllers that implement SET_FEATURES via multiple low-level PIO commands,…
more
these can race with concurrent UBI/UBIFS background erase/write operations that hold the device lock, resulting in cmd_pending conflicts on the NAND controller. Add nand_get_device()/nand_release_device() around the lock/unlock operations to serialize them against all other NAND controller access.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Race condition enables local triggering of NAND controller conflicts for availability disruption (DoS) and stored data corruption/manipulation on flash.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of the race condition flaw in Linux kernel MTD raw NAND by applying patches that serialize nand_lock/unlock with nand_get_device/release_device.
Vulnerability scanning detects the unpatched kernel version vulnerable to NAND lock race conditions with concurrent UBI/UBIFS operations.
Establishes and enforces secure configuration settings for the Linux kernel, including patched versions that prevent cmd_pending conflicts in NAND controllers.