{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "07d91ef510fb16a2e0ca7453222105835b7ba3b8"
            },
            {
              "fixed": "4e0ed44e51727d56244a822ab941efe507c47966"
            },
            {
              "fixed": "e3f95b1ba242e37093305812df7fdbe7288a43ac"
            },
            {
              "fixed": "0aacb6d18f76552e3e0ee25d9f40d21b3486f4cf"
            },
            {
              "fixed": "69a7cfc66405aeaa2483147653d031b3592ffc9c"
            },
            {
              "fixed": "0304d60abb9dcc02bc7fe6d1850f4ca206e8f1a0"
            },
            {
              "fixed": "bc7304f3ae20972d11db6e0b1b541c63feda5f05"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.15.0"
            },
            {
              "fixed": "6.1.175"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.2.0"
            },
            {
              "fixed": "6.6.141"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.7.0"
            },
            {
              "fixed": "6.12.91"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.13.0"
            },
            {
              "fixed": "6.18.33"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "7.0.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52977.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfutex: Prevent lockup in requeue-PI during signal/ timeout wakeup\n\nDuring wait-requeue-pi (task A) and requeue-PI (task B) the following\nrace can happen:\n\n     Task A                             Task B\n  futex_wait_requeue_pi()\n    futex_setup_timer()\n    futex_do_wait()\n                                   futex_requeue()\n                                        CLASS(hb, hb1)(\u0026key1);\n                                        CLASS(hb, hb2)(\u0026key2);\n        *timeout*\n    futex_requeue_pi_wakeup_sync()\n        requeue_state = Q_REQUEUE_PI_IGNORE\n\n    *blocks on hb-\u003elock*\n\n                                        futex_proxy_trylock_atomic()\n                                          futex_requeue_pi_prepare()\n                                            Q_REQUEUE_PI_IGNORE =\u003e -EAGAIN\n                                        double_unlock_hb(hb1, hb2)\n                                         *retry*\n\nTask B acquires both hb locks and attempts to acquire the PI-lock of the\ntop most waiter (task B). Task A is leaving early due to a signal/\ntimeout and started removing itself from the queue. It updates its\nrequeue_state but can not remove it from the list because this requires\nthe hb lock which is owned by task B.\n\nUsually task A is able to swoop the lock after task B unlocked it.\nHowever if task B is of higher priority then task A may not be able to\nwake up in time and acquire the lock before task B gets it again.\nEspecially on a UP system where A is never scheduled.\n\nAs a result task A blocks on the lock and task B busy loops, trying to\nmake progress but live locks the system instead. Tragic.\n\nThis can be fixed by removing the top most waiter from the list in this\ncase. This allows task B to grab the next top waiter (if any) in the\nnext iteration and make progress.\n\nRemove the top most waiter if futex_requeue_pi_prepare() fails.\nLet the waiter conditionally remove itself from the list in\nhandle_early_requeue_pi_wakeup().",
  "id": "CVE-2026-52977",
  "modified": "2026-07-08T05:37:14.931590011Z",
  "published": "2026-06-24T16:28:53.937Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0304d60abb9dcc02bc7fe6d1850f4ca206e8f1a0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0aacb6d18f76552e3e0ee25d9f40d21b3486f4cf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4e0ed44e51727d56244a822ab941efe507c47966"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/69a7cfc66405aeaa2483147653d031b3592ffc9c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bc7304f3ae20972d11db6e0b1b541c63feda5f05"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e3f95b1ba242e37093305812df7fdbe7288a43ac"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52977.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52977"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.7.5",
  "summary": "futex: Prevent lockup in requeue-PI during signal/ timeout wakeup"
}