CVE-2026-43054

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The tcm loop target reset() function violates the SCSI Error Handler (EH) contract by returning success without draining in-flight commands. This allows the SCSI EH to reuse scsi cmnd structures for recovery commands while the target core still has asynchronous completion work queued for the old se cmd. Consequently, the memset in queuecommand zeroes se lun and lun ref active, leading transport lun remove cmd() to skip its percpu ref put(). This results in a leaked LUN reference that prevents transport clear lun ref() from completing, causing the configfs LUN unlink process to hang indefinitely in D-state.

Recommendations Update the Linux kernel to a version where tcm loop target reset() is modified to drain commands by issuing TMR LUN RESET via tcm loop issue tmr() and using blk mq tagset busy iter() to iterate started requests and apply flush work() on each se cmd.