CVE-2026-23434
HIGHmtd: rawnand: serialize lock/unlock against other NAND operations
Title source: cnaDescription
In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: serialize lock/unlock against other NAND operations nand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area without holding the NAND device lock. On controllers that implement SET_FEATURES via multiple low-level PIO commands, these can race with concurrent UBI/UBIFS background erase/write operations that hold the device lock, resulting in cmd_pending conflicts on the NAND controller. Add nand_get_device()/nand_release_device() around the lock/unlock operations to serialize them against all other NAND controller access.
References (10)
Core 10
Core References
Vendor Advisory
https://cert-portal.siemens.com/productcert/html/ssa-019113.html
Vendor Advisory
https://cert-portal.siemens.com/productcert/html/ssa-082556.html
Scores
CVSS v3
7.1
EPSS
0.0013
EPSS Percentile
3.1%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Details
Status
published
Products (29)
linux/Kernel
5.11.0 - 5.15.203linux
linux/Kernel
5.16.0 - 6.1.167linux
linux/Kernel
5.7.0 - 5.10.253linux
linux/Kernel
6.13.0 - 6.18.20linux
linux/Kernel
6.19.0 - 6.19.10linux
linux/Kernel
6.2.0 - 6.6.130linux
linux/Kernel
6.7.0 - 6.12.78linux
Linux/Linux
< 5.7
Linux/Linux
5.10.253 - 5.10.*
Linux/Linux
5.15.203 - 5.15.*
... and 19 more
Published
Apr 03, 2026
Tracked Since
Apr 03, 2026