{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23434", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.016Z", "datePublished": "2026-04-03T15:15:19.450Z", "dateUpdated": "2026-04-03T15:15:19.450Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-03T15:15:19.450Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: serialize lock/unlock against other NAND operations\n\nnand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area\nwithout holding the NAND device lock. On controllers that implement\nSET_FEATURES via multiple low-level PIO commands, these can race with\nconcurrent UBI/UBIFS background erase/write operations that hold the\ndevice lock, resulting in cmd_pending conflicts on the NAND controller.\n\nAdd nand_get_device()/nand_release_device() around the lock/unlock\noperations to serialize them against all other NAND controller access."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/mtd/nand/raw/nand_base.c"], "versions": [{"version": "92270086b7e5ada7ab381c06cc3da2e95ed17088", "lessThan": "ce5229e78078e437704157eb542f43a6f83b429b", "status": "affected", "versionType": "git"}, {"version": "92270086b7e5ada7ab381c06cc3da2e95ed17088", "lessThan": "a80291e577b44593a724d6cd64c14337c78f194d", "status": "affected", "versionType": "git"}, {"version": "92270086b7e5ada7ab381c06cc3da2e95ed17088", "lessThan": "f71ce0ae5aefe39dd5b2f996c0e08550d2153ad2", "status": "affected", "versionType": "git"}, {"version": "92270086b7e5ada7ab381c06cc3da2e95ed17088", "lessThan": "5fd5c078af23cb353507aa522e09d557d7eaef04", "status": "affected", "versionType": "git"}, {"version": "92270086b7e5ada7ab381c06cc3da2e95ed17088", "lessThan": "f25446e2c28939753d3b62d34dfda49952b2557d", "status": "affected", "versionType": "git"}, {"version": "92270086b7e5ada7ab381c06cc3da2e95ed17088", "lessThan": "bab2bc6e850a697a23b9e5f0e21bb8c187615e95", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/mtd/nand/raw/nand_base.c"], "versions": [{"version": "5.7", "status": "affected"}, {"version": "0", "lessThan": "5.7", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc5", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "7.0-rc5"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/ce5229e78078e437704157eb542f43a6f83b429b"}, {"url": "https://git.kernel.org/stable/c/a80291e577b44593a724d6cd64c14337c78f194d"}, {"url": "https://git.kernel.org/stable/c/f71ce0ae5aefe39dd5b2f996c0e08550d2153ad2"}, {"url": "https://git.kernel.org/stable/c/5fd5c078af23cb353507aa522e09d557d7eaef04"}, {"url": "https://git.kernel.org/stable/c/f25446e2c28939753d3b62d34dfda49952b2557d"}, {"url": "https://git.kernel.org/stable/c/bab2bc6e850a697a23b9e5f0e21bb8c187615e95"}], "title": "mtd: rawnand: serialize lock/unlock against other NAND operations", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: serialize lock/unlock against other NAND operations\n\nnand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area\nwithout holding the NAND device lock. On controllers that implement\nSET_FEATURES via multiple low-level PIO commands, these can race with\nconcurrent UBI/UBIFS background erase/write operations that hold the\ndevice lock, resulting in cmd_pending conflicts on the NAND controller.\n\nAdd nand_get_device()/nand_release_device() around the lock/unlock\noperations to serialize them against all other NAND controller access."}], "id": "CVE-2026-23434", "lastModified": "2026-04-03T16:16:24.913", "metrics": {}, "published": "2026-04-03T16:16:24.913", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5fd5c078af23cb353507aa522e09d557d7eaef04"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a80291e577b44593a724d6cd64c14337c78f194d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/bab2bc6e850a697a23b9e5f0e21bb8c187615e95"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ce5229e78078e437704157eb542f43a6f83b429b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f25446e2c28939753d3b62d34dfda49952b2557d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f71ce0ae5aefe39dd5b2f996c0e08550d2153ad2"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{"bugzilla": {"description": "kernel: mtd: rawnand: serialize lock/unlock against other NAND operations", "id": "2454813", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454813"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-820", "details": ["A flaw was found in the `mtd: rawnand` subsystem of the Linux kernel. This vulnerability occurs because the `nand_lock()` and `nand_unlock()` functions do not properly coordinate with other NAND operations. This can lead to a race condition where concurrent Universal Block Image (UBI) or UBIFS background operations interfere with lock/unlock calls, causing command conflicts on the NAND controller. Such conflicts can result in system instability or a denial of service."], "name": "CVE-2026-23434", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23434\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23434\nhttps://lore.kernel.org/linux-cve-announce/2026040311-CVE-2026-23434-f0f0@gregkh/T"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[92270086b7e5ada7ab381c06cc3da2e95ed17088,ce5229e78078e437704157eb542f43a6f83b429b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[92270086b7e5ada7ab381c06cc3da2e95ed17088,a80291e577b44593a724d6cd64c14337c78f194d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[92270086b7e5ada7ab381c06cc3da2e95ed17088,f71ce0ae5aefe39dd5b2f996c0e08550d2153ad2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[92270086b7e5ada7ab381c06cc3da2e95ed17088,5fd5c078af23cb353507aa522e09d557d7eaef04)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[92270086b7e5ada7ab381c06cc3da2e95ed17088,f25446e2c28939753d3b62d34dfda49952b2557d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[92270086b7e5ada7ab381c06cc3da2e95ed17088,bab2bc6e850a697a23b9e5f0e21bb8c187615e95)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.7"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.7)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.78,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-03T18:27:07.589654+00:00", "value": {"mitigation_remediation": ["Update the kernel to a release that includes the patch adding nand_get_device()/nand_release_device() around nand_lock() and nand_unlock() calls.", "If an immediate kernel update is not possible, consider disabling or reducing background UBI/UBIFS writes and erases during critical periods to minimise lock contention.", "Watch for NAND controller errors and verify data integrity after applying any changes."], "summary": {"action": "Apply Update", "impact": "Potential Data Corruption"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all Linux kernel builds that include the MTD raw NAND subsystem on controllers that use multi\u2011PIO SET_FEATURES, especially those operating UBI/UBIFS file systems. No specific kernel version is listed, so any release before the patch that adds nand_get_device()/nand_release_device() around lock/unlock is considered vulnerable.", "description_and_impact": "In the Linux kernel, a race condition occurs when nand_lock() and nand_unlock() are executed without holding the NAND device lock. This allows concurrent UBI/UBIFS background operations to overlap with SET_FEATURES commands that use multiple PIO operations, producing cmd_pending conflicts that can corrupt NAND transactions or cause system instability. The flaw is a concurrency weakness (CWE\u2011362) that may compromise data integrity.", "risk_and_exploitability": "No CVSS or EPSS data is available and the flaw is not in CISA's KEV catalog. Exploitation would require precursor kernel\u2011level access to trigger concurrent NAND operations, meaning an attacker would need to run privileged software or firmware. The potential impact is data corruption or denial of service, but the attack vector is limited to high\u2011permission context rather than external exploitation."}}}}, "created": "2026-04-03T21:14:04.018784+00:00", "updated": "2026-04-03T21:16:17.698979+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-362"]}