HIGH
mtd NAND Race
CVE-2026-23434
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
KernelScan AI3.9LOW
01Description
In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: serialize lock/unlock against other NAND operations nand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area without holding the NAND device lock. On controllers that implement SET_FEATURES via multiple low-level PIO commands, these can race with concurrent UBI/UBIFS background erase/write operations that hold the device lock, resulting in cmd_pending conflicts on the NAND controller. Add nand_get_device()/nand_release_device() around the lock/unlock operations to serialize them against all other NAND controller access.
02KernelScan AI Analysis
Risk summary
Systems utilizing raw NAND flash storage with the MTD subsystem are vulnerable to denial of service when NAND lock/unlock operations race with concurrent UBI/UBIFS background erase/write operations. This affects embedded devices, storage appliances, and other systems running UBI/UBIFS on raw NAND. Successful exploitation can result in NAND controller command conflicts leading to kernel crashes or system hangs.
Vulnerability analysis
The root cause is a missing lock acquisition in nand_lock() and nand_unlock(). These functions invoke chip->ops.lock_area/unlock_area without holding the NAND device lock, allowing them to race with concurrent UBI/UBIFS background operations that properly hold the lock. On controllers implementing SET_FEATURES via multiple low-level PIO commands, this timing window creates cmd_pending conflicts on the NAND controller. The fix serializes these operations by adding nand_get_device()/nand_release_device() around the lock/unlock handlers. Exploitation requires privileged local access to issue NAND lock or unlock commands via the MTD interface.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | 28ea836cc44c |
| 5.15 | 5.15.203 | fe4a73c3dd48 |
| 6.1 | 6.1.167 | ce5229e78078 |
| 6.12 | 6.12.78 | f71ce0ae5aef |
| 6.18 | 6.18.20 | 5fd5c078af23 |
| 6.19 | 6.19.10 | f25446e2c289 |
| 6.6 | 6.6.130 | a80291e577b4 |
| mainline | 7.0 | bab2bc6e850a |