CVE-2026-23356
drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock()
Description
In the Linux kernel, the following vulnerability has been resolved: drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock() Even though we check that we "should" be able to do lc_get_cumulative() while holding the device->al_lock spinlock, it may still fail, if some other code path decided to do lc_try_lock() with bad timing. If that happened, we logged "LOGIC BUG for enr=...", but still did not return an error. The rest of the code now assumed that this request has references for the relevant activity log extents. The implcations are that during an active resync, mutual exclusivity of resync versus application IO is not guaranteed. And a potential crash at this point may not realizs that these extents could have been target of in-flight IO and would need to be resynced just in case. Also, once the request completes, it will give up activity log references it does not even hold, which will trigger a BUG_ON(refcnt == 0) in lc_put(). Fix: Do not crash the kernel for a condition that is harmless during normal operation: also catch "e->refcnt == 0", not only "e == NULL" when being noisy about "al_complete_io() called on inactive extent %u\n". And do not try to be smart and "guess" whether something will work, then be surprised when it does not. Deal with the fact that it may or may not work. If it does not, remember a possible "partially in activity log" state (only possible for requests that cross extent boundaries), and return an error code from drbd_al_begin_io_nonblock(). A latter call for the same request will then resume from where we left off.
INFO
Published Date :
March 25, 2026, 11:16 a.m.
Last Modified :
April 24, 2026, 7:06 p.m.
Remotely Exploit :
No
Source :
416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | MEDIUM | [email protected] |
Solution
- Apply the kernel patch for drbd.
- Ensure mutual exclusivity between resync and IO.
- Handle potential partial activity log states.
- Return appropriate error codes on failure.
Public PoC/Exploit Available at Github
CVE-2026-23356 has a 1 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-23356.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-23356 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-23356
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
DSA and DLA for Debian last 14 days
Python
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-23356 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2026-23356 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Apr. 24, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Added CWE CWE-617 Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:3.10:-:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.19 up to (excluding) 6.19.7 *cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.13 up to (excluding) 6.18.17 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.6.130 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 up to (excluding) 6.12.77 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.203 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.1.167 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 3.10.1 up to (excluding) 5.10.253 Added Reference Type kernel.org: https://git.kernel.org/stable/c/7752569fc78e89794ce28946529850282233f99d Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/933d161baa3794547adee621c0bf52cbf2c1b3cd Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/ab140365fb62c0bdab22b2f516aff563b2559e3b Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/cf01aa6288e1190f89865e765056e2a9d8190639 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/d1ef3aed4df2ef1fe46befd8f2da9a6ec5445508 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/e91d8d6565b7819d13dab21d4dbed5b45efba59b Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/eef1390125b660b8b61f9f227a03bb9c5e6d36a5 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/f558e5404a72054b525dced1a0c66aa95a144153 Types: Patch -
CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Apr. 18, 2026
Action Type Old Value New Value Added Reference https://git.kernel.org/stable/c/933d161baa3794547adee621c0bf52cbf2c1b3cd Added Reference https://git.kernel.org/stable/c/cf01aa6288e1190f89865e765056e2a9d8190639 -
New CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Mar. 25, 2026
Action Type Old Value New Value Added Description In the Linux kernel, the following vulnerability has been resolved: drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock() Even though we check that we "should" be able to do lc_get_cumulative() while holding the device->al_lock spinlock, it may still fail, if some other code path decided to do lc_try_lock() with bad timing. If that happened, we logged "LOGIC BUG for enr=...", but still did not return an error. The rest of the code now assumed that this request has references for the relevant activity log extents. The implcations are that during an active resync, mutual exclusivity of resync versus application IO is not guaranteed. And a potential crash at this point may not realizs that these extents could have been target of in-flight IO and would need to be resynced just in case. Also, once the request completes, it will give up activity log references it does not even hold, which will trigger a BUG_ON(refcnt == 0) in lc_put(). Fix: Do not crash the kernel for a condition that is harmless during normal operation: also catch "e->refcnt == 0", not only "e == NULL" when being noisy about "al_complete_io() called on inactive extent %u\n". And do not try to be smart and "guess" whether something will work, then be surprised when it does not. Deal with the fact that it may or may not work. If it does not, remember a possible "partially in activity log" state (only possible for requests that cross extent boundaries), and return an error code from drbd_al_begin_io_nonblock(). A latter call for the same request will then resume from where we left off. Added Reference https://git.kernel.org/stable/c/7752569fc78e89794ce28946529850282233f99d Added Reference https://git.kernel.org/stable/c/ab140365fb62c0bdab22b2f516aff563b2559e3b Added Reference https://git.kernel.org/stable/c/d1ef3aed4df2ef1fe46befd8f2da9a6ec5445508 Added Reference https://git.kernel.org/stable/c/e91d8d6565b7819d13dab21d4dbed5b45efba59b Added Reference https://git.kernel.org/stable/c/eef1390125b660b8b61f9f227a03bb9c5e6d36a5 Added Reference https://git.kernel.org/stable/c/f558e5404a72054b525dced1a0c66aa95a144153