CVE-2026-46173

In the Linux kernel, the following vulnerability has been resolved:

exit: prevent preemption of oopsing TASK DEAD task

When an already-exiting task oopses, make task dead() currently calls do task dead() with preemption enabled. That is forbidden: do task dead() calls schedule(), which has a comment saying "WARNING: must be called with preemption disabled!".

If an oopsing task is preempted in do task dead(), between becoming TASK DEAD and entering the scheduler explicitly, bad things happen: finish task switch() assumes that once the scheduler has switched away from a TASK DEAD task, the task can never run again and its stack is no longer needed; but that assumption apparently doesn't hold if the dead task was preempted (the SM PREEMPT case).

This means that the scheduler ends up repeatedly dropping references on the dead task's stack, which can lead to use-after-free or double-free of the entire task stack; in other words, two tasks can end up running on the same stack, resulting in various kinds of memory corruption.

(This does not just affect "recursively oopsing" tasks; it is enough to oops once during task exit, for example in a file operations::release handler)