#VU124466 Incorrect Register Defaults or Module Parameters in Linux kernel - CVE-2026-23368
Published: March 25, 2026
Vulnerability identifier: #VU124466
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23368
CWE-ID: CWE-1221
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Linux kernel
Linux kernel
Software vendor:
Linux Foundation
Linux Foundation
Description
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper locking order in the phy_led_triggers_register function when handling LED triggers during PHY device probe. A local user can trigger a system call that leads to conflicting lock acquisition sequences, resulting in an AB-BA deadlock between the RTNL mutex and the triggers_list_lock, ultimately causing a kernel deadlock and system hang.
The issue arises when LEDS_TRIGGER_NETDEV and LED_TRIGGER_PHY are both enabled, allowing conflicting lock acquisition orders depending on execution context.
Remediation
Install security update from vendor's repository.
External links
- https://git.kernel.org/stable/c/241cd64cf2e32b28ead151b1795cd8fef2b6e482
- https://git.kernel.org/stable/c/2764dcb3c35de4410f642afc62cf979727470575
- https://git.kernel.org/stable/c/c33523b8fd2d4c504ada18cd93f511f2a8f84217
- https://git.kernel.org/stable/c/c6ffc2d2338d325e1edd0c702e3ee623aa5fdc6a
- https://git.kernel.org/stable/c/c8dbdc6e380e7e96a51706db3e4b7870d8a9402d
- https://git.kernel.org/stable/c/cde2d0b5ab5d03b5b6f17d4f654d8b30ccf36757