CVE-2026-31557
Published: 24 April 2026
Summary
CVE-2026-31557 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 18.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-31557 is a vulnerability in the Linux kernel's NVMe target (nvmet) subsystem, specifically involving recursive locking on the nvmet-wq workqueue. The issue arises during nvmet_ctrl_free() operations, where flushing ctrl->async_event_work re-enters the workqueue completion for the same worker, particularly in the RDMA CM path. This triggers a lockdep warning about possible recursive locking when async event work is queued on nvmet-wq prior to disconnect, leading to a detected deadlock scenario in kernel versions such as 6.19.0-rc3.
Remote attackers can exploit this vulnerability over the network with no privileges or user interaction required, as indicated by its CVSS v3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). By establishing an NVMe over Fabrics (NVMe-oF) connection via RDMA and triggering the async event and queue release paths, an attacker can cause the kernel worker thread to attempt recursive acquisition of the nvmet-wq completion lock, resulting in a denial-of-service condition through the lockdep splat and potential system instability.
The provided kernel stable commit references detail the mitigation, which involves moving async event work from the shared nvmet-wq to a dedicated nvmet-aen-wq. This prevents reentrant flushes on nvmet-wq during controller teardown. Security practitioners should apply these patches to affected Linux kernels hosting NVMe target configurations, especially those using RDMA transports.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25450
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: nvmet: move async event work off nvmet-wq For target nvmet_ctrl_free() flushes ctrl->async_event_work. If nvmet_ctrl_free() runs on nvmet-wq, the flush re-enters workqueue completion for the same worker:- A. Async event work…
more
queued on nvmet-wq (prior to disconnect): nvmet_execute_async_event() queue_work(nvmet_wq, &ctrl->async_event_work) nvmet_add_async_event() queue_work(nvmet_wq, &ctrl->async_event_work) B. Full pre-work chain (RDMA CM path): nvmet_rdma_cm_handler() nvmet_rdma_queue_disconnect() __nvmet_rdma_queue_disconnect() queue_work(nvmet_wq, &queue->release_work) process_one_work() lock((wq_completion)nvmet-wq) <--------- 1st nvmet_rdma_release_queue_work() C. Recursive path (same worker): nvmet_rdma_release_queue_work() nvmet_rdma_free_queue() nvmet_sq_destroy() nvmet_ctrl_put() nvmet_ctrl_free() flush_work(&ctrl->async_event_work) __flush_work() touch_wq_lockdep_map() lock((wq_completion)nvmet-wq) <--------- 2nd Lockdep splat: ============================================ WARNING: possible recursive locking detected 6.19.0-rc3nvme+ #14 Tainted: G N -------------------------------------------- kworker/u192:42/44933 is trying to acquire lock: ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26/0x90 but task is already holding lock: ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x53e/0x660 3 locks held by kworker/u192:42/44933: #0: ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x53e/0x660 #1: ffffc9000e6cbe28 ((work_completion)(&queue->release_work)){+.+.}-{0:0}, at: process_one_work+0x1c5/0x660 #2: ffffffff82d4db60 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x62/0x530 Workqueue: nvmet-wq nvmet_rdma_release_queue_work [nvmet_rdma] Call Trace: __flush_work+0x268/0x530 nvmet_ctrl_free+0x140/0x310 [nvmet] nvmet_cq_put+0x74/0x90 [nvmet] nvmet_rdma_free_queue+0x23/0xe0 [nvmet_rdma] nvmet_rdma_release_queue_work+0x19/0x50 [nvmet_rdma] process_one_work+0x206/0x660 worker_thread+0x184/0x320 kthread+0x10c/0x240 ret_from_fork+0x319/0x390 Move async event work to a dedicated nvmet-aen-wq to avoid reentrant flush on nvmet-wq.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of NVMe-oF/RDMA target code path to trigger kernel deadlock (nvmet-wq recursive lock), directly matching Application or System Exploitation sub-technique for Endpoint DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 mandates timely identification, reporting, and correction of system flaws, directly addressing CVE-2026-31557 by requiring application of the kernel patch that moves async event work to a dedicated workqueue to prevent recursive locking.
RA-5 requires vulnerability monitoring and scanning to identify kernel vulnerabilities like CVE-2026-31557 in the NVMe target subsystem, enabling proactive patching before remote exploitation via NVMe-oF RDMA.
SC-5 provides denial-of-service protection mechanisms, such as network-level rate limiting or filtering, to mitigate remote attackers triggering the nvmet recursive locking DoS over RDMA connections.