{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31667", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.129Z", "datePublished": "2026-04-24T14:45:15.937Z", "dateUpdated": "2026-05-11T22:13:16.401Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:13:16.401Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: uinput - fix circular locking dependency with ff-core\n\nA lockdep circular locking dependency warning can be triggered\nreproducibly when using a force-feedback gamepad with uinput (for\nexample, playing ELDEN RING under Wine with a Flydigi Vader 5\ncontroller):\n\n ff->mutex -> udev->mutex -> input_mutex -> dev->mutex -> ff->mutex\n\nThe cycle is caused by four lock acquisition paths:\n\n1. ff upload: input_ff_upload() holds ff->mutex and calls\n uinput_dev_upload_effect() -> uinput_request_submit() ->\n uinput_request_send(), which acquires udev->mutex.\n\n2. device create: uinput_ioctl_handler() holds udev->mutex and calls\n uinput_create_device() -> input_register_device(), which acquires\n input_mutex.\n\n3. device register: input_register_device() holds input_mutex and\n calls kbd_connect() -> input_register_handle(), which acquires\n dev->mutex.\n\n4. evdev release: evdev_release() calls input_flush_device() under\n dev->mutex, which calls input_ff_flush() acquiring ff->mutex.\n\nFix this by introducing a new state_lock spinlock to protect\nudev->state and udev->dev access in uinput_request_send() instead of\nacquiring udev->mutex. The function only needs to atomically check\ndevice state and queue an input event into the ring buffer via\nuinput_dev_event() -- both operations are safe under a spinlock\n(ktime_get_ts64() and wake_up_interruptible() do not sleep). This\nbreaks the ff->mutex -> udev->mutex link since a spinlock is a leaf in\nthe lock ordering and cannot form cycles with mutexes.\n\nTo keep state transitions visible to uinput_request_send(), protect\nwrites to udev->state in uinput_create_device() and\nuinput_destroy_device() with the same state_lock spinlock.\n\nAdditionally, move init_completion(&request->done) from\nuinput_request_send() to uinput_request_submit() before\nuinput_request_reserve_slot(). Once the slot is allocated,\nuinput_flush_requests() may call complete() on it at any time from\nthe destroy path, so the completion must be initialised before the\nrequest becomes visible.\n\nLock ordering after the fix:\n\n ff->mutex -> state_lock (spinlock, leaf)\n udev->mutex -> state_lock (spinlock, leaf)\n udev->mutex -> input_mutex -> dev->mutex -> ff->mutex (no back-edge)"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/input/misc/uinput.c"], "versions": [{"version": "ff462551235d8d7d843a005950bc90924fcedede", "lessThan": "71a9729f412e2c692a35c542e14b706fb342927f", "status": "affected", "versionType": "git"}, {"version": "ff462551235d8d7d843a005950bc90924fcedede", "lessThan": "271ee71a1917b89f6d73ec82dd091c33d92ee617", "status": "affected", "versionType": "git"}, {"version": "ff462551235d8d7d843a005950bc90924fcedede", "lessThan": "974f7b138c3a96dd5cd53d1b33409cd7b2229dc6", "status": "affected", "versionType": "git"}, {"version": "ff462551235d8d7d843a005950bc90924fcedede", "lessThan": "546c18a14924eb521fe168d916d7ce28f1e13c1d", "status": "affected", "versionType": "git"}, {"version": "ff462551235d8d7d843a005950bc90924fcedede", "lessThan": "a3d6c9c053c9c605651508569230ead633b13f76", "status": "affected", "versionType": "git"}, {"version": "ff462551235d8d7d843a005950bc90924fcedede", "lessThan": "1e09dfbb4f5d20ee111f92325a00f85778a5f328", "status": "affected", "versionType": "git"}, {"version": "ff462551235d8d7d843a005950bc90924fcedede", "lessThan": "1534661043c434b81cfde26b97a2fb2460329cf0", "status": "affected", "versionType": "git"}, {"version": "ff462551235d8d7d843a005950bc90924fcedede", "lessThan": "4cda78d6f8bf2b700529f2fbccb994c3e826d7c2", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/input/misc/uinput.c"], "versions": [{"version": "2.6.19", "status": "affected"}, {"version": "0", "lessThan": "2.6.19", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.169", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.135", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.82", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.23", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.13", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.19", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.19", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.19", "versionEndExcluding": "6.1.169"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.19", "versionEndExcluding": "6.6.135"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.19", "versionEndExcluding": "6.12.82"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.19", "versionEndExcluding": "6.18.23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.19", "versionEndExcluding": "6.19.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.19", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/71a9729f412e2c692a35c542e14b706fb342927f"}, {"url": "https://git.kernel.org/stable/c/271ee71a1917b89f6d73ec82dd091c33d92ee617"}, {"url": "https://git.kernel.org/stable/c/974f7b138c3a96dd5cd53d1b33409cd7b2229dc6"}, {"url": "https://git.kernel.org/stable/c/546c18a14924eb521fe168d916d7ce28f1e13c1d"}, {"url": "https://git.kernel.org/stable/c/a3d6c9c053c9c605651508569230ead633b13f76"}, {"url": "https://git.kernel.org/stable/c/1e09dfbb4f5d20ee111f92325a00f85778a5f328"}, {"url": "https://git.kernel.org/stable/c/1534661043c434b81cfde26b97a2fb2460329cf0"}, {"url": "https://git.kernel.org/stable/c/4cda78d6f8bf2b700529f2fbccb994c3e826d7c2"}], "title": "Input: uinput - fix circular locking dependency with ff-core", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "59C4CD77-5444-4760-B0D8-F238740397B4", "versionEndExcluding": "5.10.253", "versionStartIncluding": "2.6.19.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045", "versionEndExcluding": "5.15.203", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "DBEC0E5D-641C-4E98-A6D9-5799B10CE451", "versionEndExcluding": "6.1.169", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "15C1A1B2-14EE-494C-AF3E-D5A7BA640B39", "versionEndExcluding": "6.6.135", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "02904CAE-71D2-45B3-9EC3-F6A9D18B6307", "versionEndExcluding": "6.12.82", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E9E09FDD-9EE3-4A56-92E2-2B30AFD0072F", "versionEndExcluding": "6.18.23", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1490EF9B-9080-481C-8D22-1306AAE664E4", "versionEndExcluding": "6.19.13", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.19:-:*:*:*:*:*:*", "matchCriteriaId": "9E2DBD4C-9DD9-4DD3-87CB-A0070A789CEA", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: uinput - fix circular locking dependency with ff-core\n\nA lockdep circular locking dependency warning can be triggered\nreproducibly when using a force-feedback gamepad with uinput (for\nexample, playing ELDEN RING under Wine with a Flydigi Vader 5\ncontroller):\n\n ff->mutex -> udev->mutex -> input_mutex -> dev->mutex -> ff->mutex\n\nThe cycle is caused by four lock acquisition paths:\n\n1. ff upload: input_ff_upload() holds ff->mutex and calls\n uinput_dev_upload_effect() -> uinput_request_submit() ->\n uinput_request_send(), which acquires udev->mutex.\n\n2. device create: uinput_ioctl_handler() holds udev->mutex and calls\n uinput_create_device() -> input_register_device(), which acquires\n input_mutex.\n\n3. device register: input_register_device() holds input_mutex and\n calls kbd_connect() -> input_register_handle(), which acquires\n dev->mutex.\n\n4. evdev release: evdev_release() calls input_flush_device() under\n dev->mutex, which calls input_ff_flush() acquiring ff->mutex.\n\nFix this by introducing a new state_lock spinlock to protect\nudev->state and udev->dev access in uinput_request_send() instead of\nacquiring udev->mutex. The function only needs to atomically check\ndevice state and queue an input event into the ring buffer via\nuinput_dev_event() -- both operations are safe under a spinlock\n(ktime_get_ts64() and wake_up_interruptible() do not sleep). This\nbreaks the ff->mutex -> udev->mutex link since a spinlock is a leaf in\nthe lock ordering and cannot form cycles with mutexes.\n\nTo keep state transitions visible to uinput_request_send(), protect\nwrites to udev->state in uinput_create_device() and\nuinput_destroy_device() with the same state_lock spinlock.\n\nAdditionally, move init_completion(&request->done) from\nuinput_request_send() to uinput_request_submit() before\nuinput_request_reserve_slot(). Once the slot is allocated,\nuinput_flush_requests() may call complete() on it at any time from\nthe destroy path, so the completion must be initialised before the\nrequest becomes visible.\n\nLock ordering after the fix:\n\n ff->mutex -> state_lock (spinlock, leaf)\n udev->mutex -> state_lock (spinlock, leaf)\n udev->mutex -> input_mutex -> dev->mutex -> ff->mutex (no back-edge)"}], "id": "CVE-2026-31667", "lastModified": "2026-04-27T20:00:40.187", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-24T15:16:46.390", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1534661043c434b81cfde26b97a2fb2460329cf0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1e09dfbb4f5d20ee111f92325a00f85778a5f328"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/271ee71a1917b89f6d73ec82dd091c33d92ee617"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4cda78d6f8bf2b700529f2fbccb994c3e826d7c2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/546c18a14924eb521fe168d916d7ce28f1e13c1d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/71a9729f412e2c692a35c542e14b706fb342927f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/974f7b138c3a96dd5cd53d1b33409cd7b2229dc6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a3d6c9c053c9c605651508569230ead633b13f76"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-667"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: Input: uinput - fix circular locking dependency with ff-core", "id": "2461558", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461558"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-833", "details": ["A flaw was found in the Linux kernel, specifically within the uinput (user input) and ff-core (force feedback core) modules. A local user, by interacting with a force-feedback gamepad through uinput, can trigger a condition where different parts of the system wait indefinitely for each other to release resources, known as a circular locking dependency. This can lead to a system deadlock, causing the affected system to become unresponsive."], "name": "CVE-2026-31667", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31667\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31667\nhttps://lore.kernel.org/linux-cve-announce/2026042406-CVE-2026-31667-a1a7@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ff462551235d8d7d843a005950bc90924fcedede,71a9729f412e2c692a35c542e14b706fb342927f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ff462551235d8d7d843a005950bc90924fcedede,271ee71a1917b89f6d73ec82dd091c33d92ee617)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ff462551235d8d7d843a005950bc90924fcedede,974f7b138c3a96dd5cd53d1b33409cd7b2229dc6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ff462551235d8d7d843a005950bc90924fcedede,546c18a14924eb521fe168d916d7ce28f1e13c1d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ff462551235d8d7d843a005950bc90924fcedede,a3d6c9c053c9c605651508569230ead633b13f76)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ff462551235d8d7d843a005950bc90924fcedede,1e09dfbb4f5d20ee111f92325a00f85778a5f328)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ff462551235d8d7d843a005950bc90924fcedede,1534661043c434b81cfde26b97a2fb2460329cf0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ff462551235d8d7d843a005950bc90924fcedede,4cda78d6f8bf2b700529f2fbccb994c3e826d7c2)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.6.19"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,2.6.19)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.10.253,5.11.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.15.203,5.16.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.169,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.135,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.82,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.23,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.13,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T13:43:05.806160+00:00", "value": {"mitigation_remediation": ["Update the kernel to a version that includes the uinput state_lock patch (commit\u00a01534661043c434b81cfde26b97a2fb2460329cf0\u00a0and its backports).", "Disable user\u2011mode force\u2011feedback devices that use uinput until the patch is applied, for example by masking the ff module or preventing device creation via uinput.", "If a kernel update is not immediately possible, monitor lockdep warnings and reboot the system to recover from a deadlock caused by the circular lock dependency."], "summary": {"action": "Immediate Patch", "impact": "Lock ordering violation with potential system instability"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases are affected, from the 2.6.19 branch through the current 7.0 series including all release candidates (rc1 through rc7). The kernel CPE list includes every kernel version, indicating that any install of the kernel without the patch is potentially vulnerable.", "description_and_impact": "The vulnerability is a circular locking dependency in the Linux kernel\u2019s uinput subsystem that can be triggered when a force\u2011feedback gamepad queues an effect. A lock ordering cycle\u2014ff mutex \u2192 udev mutex \u2192 input mutex \u2192 dev mutex \u2192 ff mutex\u2014produces a lockdep warning that signals a violation of kernel lock ordering rules. The CVE description does not report a kernel deadlock, but the presence of the warning and the nature of the cycle suggests the possibility that the system could become unresponsive if the cycle were to occur during normal operation. This flaw is a concurrency weakness classified under CWE-667 and CWE-833.", "risk_and_exploitability": "The CVSS score of 7.8 reflects a high severity availability impact. The EPSS score is below 1%, and the vulnerability is not in the CISA KEV catalog, indicating a low exploitation probability. The flaw can be triggered by local use of a force\u2011feedback device such as a gamepad using uinput, or by a process that can drive the device. If the lock ordering cycle were to occur under normal operation, it could potentially lead to a deadlock and a local denial of service, but the CVE description does not confirm that a deadlock occurs. The fix replaces the udev mutex acquisition with a spinlock (state_lock) that breaks the circular dependency, restoring safe lock ordering."}}}}, "created": "2026-04-27T19:30:11.873573+00:00", "updated": "2026-04-28T13:45:06.145364+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}