In the Linux kernel, the following vulnerability has been resolved:
rcu: Protect rcu_print_task_exp_stall() ->exp_tasks access
For kernels built with CONFIG_PREEMPT_RCU=y, the following scenario can
result in a NULL-pointer dereference:
CPU1 CPU2
rcu_preempt_deferred_qs_irqrestore rcu_print_task_exp_stall
if (special.b.blocked) READ_ONCE(rnp->exp_tasks) != NULL
raw_spin_lock_rcu_node
np = rcu_next_node_entry(t, rnp)
if (&t->rcu_node_entry == rnp->exp_tasks)
WRITE_ONCE(rnp->exp_tasks, np)
....
raw_spin_unlock_irqrestore_rcu_node
raw_spin_lock_irqsave_rcu_node
t = list_entry(rnp->exp_tasks->prev,
struct task_struct, rcu_node_entry)
(if rnp->exp_tasks is NULL, this
will dereference a NULL pointer)
The problem is that CPU2 accesses the rcu_node structure's->exp_tasks
field without holding the rcu_node structure's ->lock and CPU2 did
not observe CPU1's change to rcu_node structure's ->exp_tasks in time.
Therefore, if CPU1 sets rcu_node structure's->exp_tasks pointer to NULL,
then CPU2 might dereference that NULL pointer.
This commit therefore holds the rcu_node structure's ->lock while
accessing that structure's->exp_tasks field.
[ paulmck: Apply Frederic Weisbecker feedback. ]
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel availability bug. On systems built with CONFIG_PREEMPT_RCU, a race in RCU stall reporting can cause the kernel to dereference a NULL pointer, potentially crashing the system. The CVSS impact is availability only, with local low-privilege access required.
Executive priority
Treat this as a moderate availability issue. It is not described as remotely exploitable, but it can matter for service reliability where local users, containers, or workloads share a Linux host.
Technical view
The flaw is a CWE-476 NULL pointer dereference in rcu_print_task_exp_stall(). One CPU can update rcu_node->exp_tasks to NULL while another reads it without holding the rcu_node lock. The fix holds the rcu_node lock while accessing exp_tasks.
Likely exposure
Exposure is limited to Linux kernels matching the affected records and built with CONFIG_PREEMPT_RCU=y. Business risk is highest for multi-user Linux systems, shared compute, and critical servers where a local-triggered kernel crash would disrupt availability.
Exploitation context
The source bundle does not report known active exploitation, and KEV is false. The CVSS vector indicates local access, low attack complexity, low privileges, no user interaction, and high availability impact without confidentiality or integrity impact.
Researcher notes
Evidence supports a race condition in RCU expedited stall printing. The provided details identify root cause and fix direction, but do not provide distribution-specific package versions, exploit reports, or operational mitigations beyond applying vendor kernel fixes.
Mitigation direction
Check kernel vendor advisories for fixed packages matching your distribution and branch.
Prioritize updates on systems where local users or workloads are not fully trusted.
Track the referenced Linux stable commits in kernel branches you build or maintain.
If no package is available, follow vendor guidance for backporting the locking fix.
Validation and detection
Inventory Linux kernel versions and confirm whether CONFIG_PREEMPT_RCU is enabled.
Compare deployed kernels against vendor-fixed versions or the referenced stable commits.
Confirm patched kernels include locking around rcu_node->exp_tasks access in this path.
Run normal regression testing for kernel updates before production rollout.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-476: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-476 · source CWE mapping
NULL Pointer Dereference
NULL Pointer Dereference represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.