Cyber Resilience

CVE-2026-31557

High

Published: 24 April 2026

Published
24 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0006 18.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31557 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 18.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31557 is a vulnerability in the Linux kernel's NVMe target (nvmet) subsystem, specifically involving recursive locking on the nvmet-wq workqueue. The issue arises during nvmet_ctrl_free() operations, where flushing ctrl->async_event_work re-enters the workqueue completion for the same worker, particularly in the RDMA CM path. This triggers a lockdep warning about possible recursive locking when async event work is queued on nvmet-wq prior to disconnect, leading to a detected deadlock scenario in kernel versions such as 6.19.0-rc3.

Remote attackers can exploit this vulnerability over the network with no privileges or user interaction required, as indicated by its CVSS v3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). By establishing an NVMe over Fabrics (NVMe-oF) connection via RDMA and triggering the async event and queue release paths, an attacker can cause the kernel worker thread to attempt recursive acquisition of the nvmet-wq completion lock, resulting in a denial-of-service condition through the lockdep splat and potential system instability.

The provided kernel stable commit references detail the mitigation, which involves moving async event work from the shared nvmet-wq to a dedicated nvmet-aen-wq. This prevents reentrant flushes on nvmet-wq during controller teardown. Security practitioners should apply these patches to affected Linux kernels hosting NVMe target configurations, especially those using RDMA transports.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: nvmet: move async event work off nvmet-wq For target nvmet_ctrl_free() flushes ctrl->async_event_work. If nvmet_ctrl_free() runs on nvmet-wq, the flush re-enters workqueue completion for the same worker:- A. Async event work…

more

queued on nvmet-wq (prior to disconnect): nvmet_execute_async_event() queue_work(nvmet_wq, &ctrl->async_event_work) nvmet_add_async_event() queue_work(nvmet_wq, &ctrl->async_event_work) B. Full pre-work chain (RDMA CM path): nvmet_rdma_cm_handler() nvmet_rdma_queue_disconnect() __nvmet_rdma_queue_disconnect() queue_work(nvmet_wq, &queue->release_work) process_one_work() lock((wq_completion)nvmet-wq) <--------- 1st nvmet_rdma_release_queue_work() C. Recursive path (same worker): nvmet_rdma_release_queue_work() nvmet_rdma_free_queue() nvmet_sq_destroy() nvmet_ctrl_put() nvmet_ctrl_free() flush_work(&ctrl->async_event_work) __flush_work() touch_wq_lockdep_map() lock((wq_completion)nvmet-wq) <--------- 2nd Lockdep splat: ============================================ WARNING: possible recursive locking detected 6.19.0-rc3nvme+ #14 Tainted: G N -------------------------------------------- kworker/u192:42/44933 is trying to acquire lock: ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26/0x90 but task is already holding lock: ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x53e/0x660 3 locks held by kworker/u192:42/44933: #0: ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x53e/0x660 #1: ffffc9000e6cbe28 ((work_completion)(&queue->release_work)){+.+.}-{0:0}, at: process_one_work+0x1c5/0x660 #2: ffffffff82d4db60 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x62/0x530 Workqueue: nvmet-wq nvmet_rdma_release_queue_work [nvmet_rdma] Call Trace: __flush_work+0x268/0x530 nvmet_ctrl_free+0x140/0x310 [nvmet] nvmet_cq_put+0x74/0x90 [nvmet] nvmet_rdma_free_queue+0x23/0xe0 [nvmet_rdma] nvmet_rdma_release_queue_work+0x19/0x50 [nvmet_rdma] process_one_work+0x206/0x660 worker_thread+0x184/0x320 kthread+0x10c/0x240 ret_from_fork+0x319/0x390 Move async event work to a dedicated nvmet-aen-wq to avoid reentrant flush on nvmet-wq.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE enables remote exploitation of NVMe-oF/RDMA target code path to trigger kernel deadlock (nvmet-wq recursive lock), directly matching Application or System Exploitation sub-technique for Endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23388Same product: Linux Linux Kernel
CVE-2026-23242Same product: Linux Linux Kernel
CVE-2026-22991Same product: Linux Linux Kernel
CVE-2025-21717Same product: Linux Linux Kernel
CVE-2026-23459Same product: Linux Linux Kernel
CVE-2026-31640Same product: Linux Linux Kernel
CVE-2026-31739Same product: Linux Linux Kernel
CVE-2024-56772Same product: Linux Linux Kernel
CVE-2026-23095Same product: Linux Linux Kernel
CVE-2026-31417Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.18, 7.0 · 5.15.42 — 5.16 · 5.17.10 — 5.18 · 5.18.1 — 6.12.80

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 mandates timely identification, reporting, and correction of system flaws, directly addressing CVE-2026-31557 by requiring application of the kernel patch that moves async event work to a dedicated workqueue to prevent recursive locking.

prevent

RA-5 requires vulnerability monitoring and scanning to identify kernel vulnerabilities like CVE-2026-31557 in the NVMe target subsystem, enabling proactive patching before remote exploitation via NVMe-oF RDMA.

preventdetect

SC-5 provides denial-of-service protection mechanisms, such as network-level rate limiting or filtering, to mitigate remote attackers triggering the nvmet recursive locking DoS over RDMA connections.

References