CVE-2026-52977

Source
https://cve.org/CVERecord?id=CVE-2026-52977
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52977.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-52977
Downstream
Published
2026-06-24T16:28:53.937Z
Modified
2026-07-08T08:13:44.697091376Z
Summary
futex: Prevent lockup in requeue-PI during signal/ timeout wakeup
Details

In the Linux kernel, the following vulnerability has been resolved:

futex: Prevent lockup in requeue-PI during signal/ timeout wakeup

During wait-requeue-pi (task A) and requeue-PI (task B) the following race can happen:

 Task A                             Task B

futexwaitrequeuepi() futexsetuptimer() futexdowait() futexrequeue() CLASS(hb, hb1)(&key1); CLASS(hb, hb2)(&key2); timeout futexrequeuepiwakeupsync() requeuestate = QREQUEUEPIIGNORE

*blocks on hb->lock*

                                    futex_proxy_trylock_atomic()
                                      futex_requeue_pi_prepare()
                                        Q_REQUEUE_PI_IGNORE => -EAGAIN
                                    double_unlock_hb(hb1, hb2)
                                     *retry*

Task B acquires both hb locks and attempts to acquire the PI-lock of the top most waiter (task B). Task A is leaving early due to a signal/ timeout and started removing itself from the queue. It updates its requeue_state but can not remove it from the list because this requires the hb lock which is owned by task B.

Usually task A is able to swoop the lock after task B unlocked it. However if task B is of higher priority then task A may not be able to wake up in time and acquire the lock before task B gets it again. Especially on a UP system where A is never scheduled.

As a result task A blocks on the lock and task B busy loops, trying to make progress but live locks the system instead. Tragic.

This can be fixed by removing the top most waiter from the list in this case. This allows task B to grab the next top waiter (if any) in the next iteration and make progress.

Remove the top most waiter if futexrequeuepiprepare() fails. Let the waiter conditionally remove itself from the list in handleearlyrequeuepi_wakeup().

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52977.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
07d91ef510fb16a2e0ca7453222105835b7ba3b8
Fixed
4e0ed44e51727d56244a822ab941efe507c47966
Fixed
e3f95b1ba242e37093305812df7fdbe7288a43ac
Fixed
0aacb6d18f76552e3e0ee25d9f40d21b3486f4cf
Fixed
69a7cfc66405aeaa2483147653d031b3592ffc9c
Fixed
0304d60abb9dcc02bc7fe6d1850f4ca206e8f1a0
Fixed
bc7304f3ae20972d11db6e0b1b541c63feda5f05

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52977.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.15.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.141
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.91
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.33
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52977.json"