{"id":"CVE-2026-52977","summary":"futex: Prevent lockup in requeue-PI during signal/ timeout wakeup","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nfutex: Prevent lockup in requeue-PI during signal/ timeout wakeup\n\nDuring wait-requeue-pi (task A) and requeue-PI (task B) the following\nrace can happen:\n\n     Task A                             Task B\n  futex_wait_requeue_pi()\n    futex_setup_timer()\n    futex_do_wait()\n                                   futex_requeue()\n                                        CLASS(hb, hb1)(&key1);\n                                        CLASS(hb, hb2)(&key2);\n        *timeout*\n    futex_requeue_pi_wakeup_sync()\n        requeue_state = Q_REQUEUE_PI_IGNORE\n\n    *blocks on hb-\u003elock*\n\n                                        futex_proxy_trylock_atomic()\n                                          futex_requeue_pi_prepare()\n                                            Q_REQUEUE_PI_IGNORE =\u003e -EAGAIN\n                                        double_unlock_hb(hb1, hb2)\n                                         *retry*\n\nTask B acquires both hb locks and attempts to acquire the PI-lock of the\ntop most waiter (task B). Task A is leaving early due to a signal/\ntimeout and started removing itself from the queue. It updates its\nrequeue_state but can not remove it from the list because this requires\nthe hb lock which is owned by task B.\n\nUsually task A is able to swoop the lock after task B unlocked it.\nHowever if task B is of higher priority then task A may not be able to\nwake up in time and acquire the lock before task B gets it again.\nEspecially on a UP system where A is never scheduled.\n\nAs a result task A blocks on the lock and task B busy loops, trying to\nmake progress but live locks the system instead. Tragic.\n\nThis can be fixed by removing the top most waiter from the list in this\ncase. This allows task B to grab the next top waiter (if any) in the\nnext iteration and make progress.\n\nRemove the top most waiter if futex_requeue_pi_prepare() fails.\nLet the waiter conditionally remove itself from the list in\nhandle_early_requeue_pi_wakeup().","modified":"2026-07-08T08:13:44.697091376Z","published":"2026-06-24T16:28:53.937Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52977.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0304d60abb9dcc02bc7fe6d1850f4ca206e8f1a0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/0aacb6d18f76552e3e0ee25d9f40d21b3486f4cf"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4e0ed44e51727d56244a822ab941efe507c47966"},{"type":"WEB","url":"https://git.kernel.org/stable/c/69a7cfc66405aeaa2483147653d031b3592ffc9c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bc7304f3ae20972d11db6e0b1b541c63feda5f05"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e3f95b1ba242e37093305812df7fdbe7288a43ac"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52977.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-52977"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"07d91ef510fb16a2e0ca7453222105835b7ba3b8"},{"fixed":"4e0ed44e51727d56244a822ab941efe507c47966"},{"fixed":"e3f95b1ba242e37093305812df7fdbe7288a43ac"},{"fixed":"0aacb6d18f76552e3e0ee25d9f40d21b3486f4cf"},{"fixed":"69a7cfc66405aeaa2483147653d031b3592ffc9c"},{"fixed":"0304d60abb9dcc02bc7fe6d1850f4ca206e8f1a0"},{"fixed":"bc7304f3ae20972d11db6e0b1b541c63feda5f05"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52977.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.15.0"},{"fixed":"6.1.175"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.141"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.91"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.33"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.10"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52977.json"}}],"schema_version":"1.7.5"}