Bug 2454813 (CVE-2026-23434)

Summary: CVE-2026-23434 kernel: mtd: rawnand: serialize lock/unlock against other NAND operations
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the `mtd: rawnand` subsystem of the Linux kernel. This vulnerability occurs because the `nand_lock()` and `nand_unlock()` functions do not properly coordinate with other NAND operations. This can lead to a race condition where concurrent Universal Block Image (UBI) or UBIFS background operations interfere with lock/unlock calls, causing command conflicts on the NAND controller. Such conflicts can result in system instability or a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-04-03 16:02:08 UTC 
In the Linux kernel, the following vulnerability has been resolved:

mtd: rawnand: serialize lock/unlock against other NAND operations

nand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area
without holding the NAND device lock. On controllers that implement
SET_FEATURES via multiple low-level PIO commands, these can race with
concurrent UBI/UBIFS background erase/write operations that hold the
device lock, resulting in cmd_pending conflicts on the NAND controller.

Add nand_get_device()/nand_release_device() around the lock/unlock
operations to serialize them against all other NAND controller access.
Comment 1 Jon Moroney 2026-04-03 19:14:19 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026040311-CVE-2026-23434-f0f0@gregkh/T