Detections
Analytics

Linux Distros Unpatched Vulnerability : CVE-2026-23356

critical Nessus Plugin ID 303699

Synopsis

The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be patched.

Description

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

 - drbd: fix LOGIC BUG in drbd_al_begin_io_nonblock() Even though we check that we should be able to do lc_get_cumulative() while holding the device->al_lock spinlock, it may still fail, if some other code path decided to do lc_try_lock() with bad timing. If that happened, we logged LOGIC BUG for enr=..., but still did not return an error. The rest of the code now assumed that this request has references for the relevant activity log extents. The implcations are that during an active resync, mutual exclusivity of resync versus application IO is not guaranteed. And a potential crash at this point may not realizs that these extents could have been target of in-flight IO and would need to be resynced just in case. Also, once the request completes, it will give up activity log references it does not even hold, which will trigger a BUG_ON(refcnt == 0) in lc_put(). Fix: Do not crash the kernel for a condition that is harmless during normal operation: also catch e->refcnt == 0, not only e == NULL when being noisy about al_complete_io() called on inactive extent %u\n. And do not try to be smart and guess whether something will work, then be surprised when it does not. Deal with the fact that it may or may not work.
 If it does not, remember a possible partially in activity log state (only possible for requests that cross extent boundaries), and return an error code from drbd_al_begin_io_nonblock(). A latter call for the same request will then resume from where we left off. (CVE-2026-23356)

Note that Nessus relies on the presence of the package as reported by the vendor.

Solution

There is no known solution at this time.

See Also

https://security-tracker.debian.org/tracker/CVE-2026-23356

Plugin Details

Severity: Critical

ID: 303699

File Name: unpatched_CVE_2026_23356.nasl

Version: 1.1

Type: local

Agent: unix

Family: Misc.

Published: 3/25/2026

Updated: 3/25/2026

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2026-23356

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:U/RC:C

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:11.0, p-cpe:/a:debian:debian_linux:linux, cpe:/o:debian:debian_linux:12.0, cpe:/o:debian:debian_linux:13.0

Required KB Items: Host/local_checks_enabled, Host/cpu, global_settings/vendor_unpatched, Host/OS/identifier

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 3/25/2026

Reference Information

CVE: CVE-2026-23356