Skip to main content

Linux Kernel CVE-2026-52930

| EUVDEUVD-2026-38700 MEDIUM
2026-06-24 Linux GHSA-5g46-hmw3-w78x
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

Race condition requires winning a narrow kernel timing window, justifying AC:H over the vendor's AC:L; all other metrics align with the description.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 16:13 vuln.today
CVSS changed
Jul 08, 2026 - 15:37 NVD
5.5 (MEDIUM)
Patch available
Jun 24, 2026 - 09:16 EUVD
CVE Published
Jun 24, 2026 - 07:14 nvd
MEDIUM 5.5
CVE Published
Jun 24, 2026 - 07:14 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ipc/shm: serialize orphan cleanup with shm_nattch updates

shm_destroy_orphaned() walks the shm idr under shm_ids(ns).rwsem, but that does not serialize all fields tested by shm_may_destroy(). In particular, shm_nattch is updated while holding shm_perm.lock, and attach paths can do that without holding the rwsem.

Do not decide that an orphaned segment is unused before taking the object lock. Move the shm_may_destroy() check under shm_perm.lock, matching the other destroy paths, and unlock the segment when it no longer qualifies for removal.

AnalysisAI

Race condition in the Linux kernel's System V IPC shared memory subsystem allows a local low-privileged attacker to crash the kernel. The shm_destroy_orphaned() cleanup path evaluates whether an orphaned segment is safe to destroy by checking shm_nattch without holding shm_perm.lock, while the attach/detach paths update that counter independently of shm_ids(ns).rwsem, creating a window where a still-attached segment is erroneously destroyed. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local user shell access
Delivery
Create and orphan a System V shared memory segment
Exploit
Spawn concurrent shmat/shmdt threads to manipulate shm_nattch
Execution
Race shm_destroy_orphaned() during orphan cleanup
Persist
Trigger premature segment destruction
Impact
Kernel panic (DoS)

Vulnerability AssessmentAI

Exploitation Exploitation requires local system access with at minimum standard unprivileged user credentials (PR:L per CVSS). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.5 (Medium) accurately captures the local-only, availability-only impact with low-privilege requirements. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user with standard unprivileged credentials creates a System V shared memory segment and causes its owning process to exit, making the segment orphaned. The attacker then spawns concurrent threads that rapidly call shmat and shmdt on the orphaned segment, while the kernel's periodic orphan cleanup path (`shm_destroy_orphaned`) is simultaneously running. …
Remediation The primary fix is upgrading to a patched Linux kernel stable release: 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1, depending on the branch in use. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52930 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy