CVE-2026-46304

HIGHPre-NVD 7.57.5
EchelonGraph scoreHIGH confidence

Score 7.5 from GitHub Security Advisory (severity: HIGH) published 2026-06-08. the CNA's CVSS baseline 7.5; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: cna:linux, epss, ghsa
Trending — 4 sources updated this week
7.5
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 7.5Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

In the Linux kernel, the following vulnerability has been resolved:

nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free

nvmet_tcp_release_queue_work() runs on nvmet-wq and can drop the final controller reference through nvmet_cq_put(). If that triggers nvmet_ctrl_free(), the teardown path flushes ctrl->async_event_work on the same nvmet-wq.

Call chain:

nvmet_tcp_schedule_release_queue() kref_put(&queue->kref, nvmet_tcp_release_queue) nvmet_tcp_release_queue() queue_work(nvmet_wq, &queue->release_work) <--- nvmet_wq process_one_work() nvmet_tcp_release_queue_work() nvmet_cq_put(&queue->nvme_cq) nvmet_cq_destroy() nvmet_ctrl_put(cq->ctrl) nvmet_ctrl_free() flush_work(&ctrl->async_event_work) <--- nvmet_wq

Previously Scheduled by :- nvmet_add_async_event queue_work(nvmet_wq, &ctrl->async_event_work);

This trips lockdep with a possible recursive locking warning.

[ 5223.015876] run blktests nvme/003 at 2026-04-07 20:53:55 [ 5223.061801] loop0: detected capacity change from 0 to 2097152 [ 5223.072206] nvmet: adding nsid 1 to subsystem blktests-subsystem-1 [ 5223.088368] nvmet_tcp: enabling port 0 (127.0.0.1:4420) [ 5223.126086] nvmet: Created discovery controller 1 for subsystem nqn.2014-08.org.nvmexpress.discovery for NQN nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349. [ 5223.128453] nvme nvme1: new ctrl: NQN "nqn.2014-08.org.nvmexpress.discovery", addr 127.0.0.1:4420, hostnqn: nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349 [ 5233.199447] nvme nvme1: Removing ctrl: NQN "nqn.2014-08.org.nvmexpress.discovery"

[ 5233.227718] ============================================ [ 5233.231283] WARNING: possible recursive locking detected [ 5233.234696] 7.0.0-rc3nvme+ #20 Tainted: G O N [ 5233.238434] -------------------------------------------- [ 5233.241852] kworker/u192:6/2413 is trying to acquire lock: [ 5233.245429] ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26/0x90 [ 5233.251438] but task is already holding lock: [ 5233.255254] ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x5cc/0x6e0 [ 5233.261125] other info that might help us debug this: [ 5233.265333] Possible unsafe locking scenario:

[ 5233.269217] CPU0 [ 5233.270795] ---- [ 5233.272436] lock((wq_completion)nvmet-wq); [ 5233.275241] lock((wq_completion)nvmet-wq); [ 5233.278020] * DEADLOCK *

[ 5233.281793] May be due to missing lock nesting notation

[ 5233.286195] 3 locks held by kworker/u192:6/2413: [ 5233.289192] #0: ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x5cc/0x6e0 [ 5233.294569] #1: ffffc9000e2a7e40 ((work_completion)(&queue->release_work)){+.+.}-{0:0}, at: process_one_work+0x1c5/0x6e0 [ 5233.300128] #2: ffffffff82d7dc40 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x62/0x530 [ 5233.304290] stack backtrace: [ 5233.306520] CPU: 4 UID: 0 PID: 2413 Comm: kworker/u192:6 Tainted: G O N 7.0.0-rc3nvme+ #20 PREEMPT(full) [ 5233.306524] Tainted: [O]=OOT_MODULE, [N]=TEST [ 5233.306525] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 [ 5233.306527] Workqueue: nvmet-wq nvmet_tcp_release_queue_work [nvmet_tcp] [ 5233.306532] Call Trace: [ 5233.306534] [ 5233.306536] dump_stack_lvl+0x73/0xb0 [ 5233.306552] print_deadlock_bug+0x225/0x2f0 [ 5233.306556] __lock_acquire+0x13f0/0x2290 [ 5233.306563] lock_acquire+0xd0/0x300 [ 5233.306565] ? touch_wq_lockdep_map+0x26/0x90 [ 5233.306571] ? __flush_work+0x20b/0x530 [ 5233.306573] ? touch_wq_lockdep_map+0x26/0x90 [ 5233.306577] touch_wq_lockdep_map+0x3b/0x90 [ 5233.306580] ? touch_wq_lockdep_map+0x26/0x90 [ 52 ---truncated---

CVSS v3
7.5
EG Score
7.5(high)
EPSS
30.9%
KEV
Not listed

Published

June 8, 2026

Last Modified

June 14, 2026

Advisory Details (8)

Auto-updated Jun 14, 2026
No patch confirmed yet.
generic

nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/ee6e20c4bc9eae542a0954a368449532383169d4
generic

nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/ae5b0cad163833e10b271e9becc05d81dae56e5f
generic

nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/aade8abd8b868b6ffa9697aadaea28ec7f65bee6
generic

nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/a696fbbd5240b4ac9b166f7bd4c550882ff543f1
generic

nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/9a4d7222c0955b221e38bb66d10e6bccb672c8a1
generic

nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/8d66ba89480ff098a58d79003a505f383aa4e920
generic

nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/781f47d641432c26c19625b2cdd7f40825097592
generic

nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/551f445a56a11a6457550cddcf39c9ebb8bcacc6

Vendor Advisories for CVE-2026-46304(2)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 36× in last 7d / 138× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

Showing the most recent 100 of 138 total refreshes for this CVE.

  1. 2026-07-06 16:27 UTCEPSS rescore
  2. 2026-07-06 02:23 UTCEPSS rescore
  3. 2026-07-05 17:31 UTCEG score recompute
  4. 2026-07-05 17:31 UTCVendor advisory
  5. 2026-07-05 17:31 UTCGHSA enrichment
  6. 2026-07-05 03:33 UTCEG score recompute
  7. 2026-07-05 03:33 UTCVendor advisory
  8. 2026-07-05 03:33 UTCGHSA enrichment
  9. 2026-07-05 02:30 UTCEPSS rescore
  10. 2026-07-04 14:57 UTCEG score recompute
  11. 2026-07-04 14:57 UTCVendor advisory
  12. 2026-07-04 14:57 UTCGHSA enrichment
  13. 2026-07-04 06:31 UTCEPSS rescore
  14. 2026-07-03 16:14 UTCEG score recompute
  15. 2026-07-03 16:14 UTCVendor advisory
  16. 2026-07-03 16:14 UTCGHSA enrichment
  17. 2026-07-03 00:58 UTCEG score recompute
  18. 2026-07-03 00:58 UTCVendor advisory
  19. 2026-07-03 00:58 UTCGHSA enrichment
  20. 2026-07-02 12:18 UTCEG score recompute
  21. 2026-07-02 12:18 UTCVendor advisory
  22. 2026-07-02 12:18 UTCGHSA enrichment
  23. 2026-07-01 22:57 UTCEG score recompute
  24. 2026-07-01 22:57 UTCVendor advisory
  25. 2026-07-01 22:57 UTCGHSA enrichment
Show 75 more
  1. 2026-07-01 15:07 UTCEPSS rescore
  2. 2026-07-01 10:14 UTCEG score recompute
  3. 2026-07-01 10:14 UTCVendor advisory
  4. 2026-07-01 10:14 UTCGHSA enrichment
  5. 2026-06-30 23:22 UTCEPSS rescore
  6. 2026-06-30 21:38 UTCEG score recompute
  7. 2026-06-30 21:38 UTCVendor advisory
  8. 2026-06-30 21:38 UTCGHSA enrichment
  9. 2026-06-30 08:47 UTCEG score recompute
  10. 2026-06-30 08:47 UTCVendor advisory
  11. 2026-06-30 08:47 UTCGHSA enrichment
  12. 2026-06-29 20:08 UTCEG score recompute
  13. 2026-06-29 20:08 UTCVendor advisory
  14. 2026-06-29 20:08 UTCGHSA enrichment
  15. 2026-06-29 14:06 UTCEPSS rescore
  16. 2026-06-29 14:06 UTCEPSS rescore
  17. 2026-06-29 07:33 UTCEG score recompute
  18. 2026-06-29 07:33 UTCVendor advisory
  19. 2026-06-29 07:32 UTCGHSA enrichment
  20. 2026-06-28 15:20 UTCEG score recompute
  21. 2026-06-28 15:20 UTCVendor advisory
  22. 2026-06-28 15:20 UTCGHSA enrichment
  23. 2026-06-28 14:07 UTCEPSS rescore
  24. 2026-06-28 04:56 UTCEPSS rescore
  25. 2026-06-28 04:56 UTCEPSS rescore
  26. 2026-06-28 02:41 UTCEG score recompute
  27. 2026-06-28 02:41 UTCVendor advisory
  28. 2026-06-28 02:41 UTCGHSA enrichment
  29. 2026-06-27 14:05 UTCEG score recompute
  30. 2026-06-27 14:05 UTCVendor advisory
  31. 2026-06-27 14:05 UTCGHSA enrichment
  32. 2026-06-27 03:08 UTCEPSS rescore
  33. 2026-06-27 01:22 UTCEG score recompute
  34. 2026-06-27 01:22 UTCVendor advisory
  35. 2026-06-27 01:22 UTCGHSA enrichment
  36. 2026-06-26 12:46 UTCEG score recompute
  37. 2026-06-26 12:46 UTCVendor advisory
  38. 2026-06-26 12:46 UTCGHSA enrichment
  39. 2026-06-25 22:34 UTCEG score recompute
  40. 2026-06-25 22:34 UTCVendor advisory
  41. 2026-06-25 22:34 UTCGHSA enrichment
  42. 2026-06-25 13:49 UTCEPSS rescore
  43. 2026-06-25 09:52 UTCEG score recompute
  44. 2026-06-25 09:52 UTCVendor advisory
  45. 2026-06-25 09:52 UTCGHSA enrichment
  46. 2026-06-24 21:17 UTCEG score recompute
  47. 2026-06-24 21:17 UTCVendor advisory
  48. 2026-06-24 21:17 UTCGHSA enrichment
  49. 2026-06-24 14:05 UTCEPSS rescore
  50. 2026-06-24 05:02 UTCEG score recompute
  51. 2026-06-24 05:02 UTCVendor advisory
  52. 2026-06-24 05:02 UTCGHSA enrichment
  53. 2026-06-23 21:33 UTCEPSS rescore
  54. 2026-06-23 21:33 UTCEPSS rescore
  55. 2026-06-23 16:01 UTCEG score recompute
  56. 2026-06-23 16:01 UTCVendor advisory
  57. 2026-06-23 16:01 UTCGHSA enrichment
  58. 2026-06-23 02:47 UTCEG score recompute
  59. 2026-06-23 02:47 UTCVendor advisory
  60. 2026-06-23 02:47 UTCGHSA enrichment
  61. 2026-06-22 14:25 UTCEPSS rescore
  62. 2026-06-22 14:25 UTCEPSS rescore
  63. 2026-06-22 14:08 UTCEG score recompute
  64. 2026-06-22 14:08 UTCVendor advisory
  65. 2026-06-22 14:07 UTCGHSA enrichment
  66. 2026-06-21 20:16 UTCEG score recompute
  67. 2026-06-21 20:16 UTCVendor advisory
  68. 2026-06-21 20:15 UTCGHSA enrichment
  69. 2026-06-21 14:56 UTCEPSS rescore
  70. 2026-06-21 14:56 UTCEPSS rescore
  71. 2026-06-21 05:21 UTCEG score recompute
  72. 2026-06-21 05:21 UTCVendor advisory
  73. 2026-06-21 05:20 UTCGHSA enrichment
  74. 2026-06-21 01:59 UTCEPSS rescore
  75. 2026-06-21 01:59 UTCEPSS rescore

Frequently asked(5)

What is CVE-2026-46304?
CVE-2026-46304 is a high vulnerability published on June 8, 2026. In the Linux kernel, the following vulnerability has been resolved: nvmet: avoid recursive nvmet-wq flush in nvmetctrlfree nvmettcpreleasequeuework() runs on nvmet-wq and can drop the final controller reference through nvmetcqput(). If that triggers nvmetctrlfree(), the teardown path flushes…
When was CVE-2026-46304 disclosed?
CVE-2026-46304 was first published in the National Vulnerability Database on June 8, 2026, with the most recent update on June 14, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-46304 actively exploited?
CVE-2026-46304 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 30.9% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-46304?
CVE-2026-46304 has a CVSS v4.0 base score of 7.5 (CNA self-assessment; NVD's own analysis pending).
How do I remediate CVE-2026-46304?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-46304, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-46304

Explore →

Is Your Infrastructure Affected by CVE-2026-46304?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.