HOMEVULNERABILITIESCVE-2026-45949
NONE

CVE-2026-45949

Published: May 27, 2026· Updated: May 27, 2026

Official Description

In the Linux kernel, the following vulnerability has been resolved:

hwrng: core - use RCU and work_struct to fix race condition

Currently, hwrng_fill is not cleared until the hwrng_fillfn() thread

exits. Since hwrng_unregister() reads hwrng_fill outside the rng_mutex

lock, a concurrent hwrng_unregister() may call kthread_stop() again on

the same task.

Additionally, if hwrng_unregister() is called immediately after

hwrng_register(), the stopped thread may have never been executed. Thus,

hwrng_fill remains dirty even after hwrng_unregister() returns. In this

case, subsequent calls to hwrng_register() will fail to start new

threads, and hwrng_unregister() will call kthread_stop() on the same

freed task. In both cases, a use-after-free occurs:

refcount_t: addition on 0; use-after-free.

WARNING: ... at lib/refcount.c:25 refcount_warn_saturate+0xec/0x1c0

Call Trace:

kthread_stop+0x181/0x360

hwrng_unregister+0x288/0x380

virtrng_remove+0xe3/0x200

This patch fixes the race by protecting the global hwrng_fill pointer

inside the rng_mutex lock, so that hwrng_fillfn() thread is stopped only

once, and calls to kthread_run() and kthread_stop() are serialized

with the lock held.

To avoid deadlock in hwrng_fillfn() while being stopped with the lock

held, we convert current_rng to RCU, so that get_current_rng() can read

current_rng without holding the lock. To remove the lock from put_rng(),

we also delay the actual cleanup into a work_struct.

Since get_current_rng() no longer returns ERR_PTR values, the IS_ERR()

checks are removed from its callers.

With hwrng_fill protected by the rng_mutex lock, hwrng_fillfn() can no

longer clear hwrng_fill itself. Therefore, if hwrng_fillfn() returns

directly after current_rng is dropped, kthread_stop() would be called on

a freed task_struct later. To fix this, hwrng_fillfn() calls schedule()

now to keep the task alive until being stopped. The kthread_stop() call

is also moved from hwrng_unregister() to drop_current_rng(), ensuring

kthread_stop() is called on all possible paths where current_rng becomes

NULL, so that the thread would not wait forever.

NVD Source

Technical Analysis

CVE-2026-45949 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (4)

Quick Facts

CVE IDCVE-2026-45949
SeverityNONE
CISA KEVNo
PublishedMay 27, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-45949 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.