Skip to main content

Linux Kernel CVE-2026-52973

| EUVDEUVD-2026-38841 HIGH
Expired Pointer Dereference (CWE-825)
2026-06-24 Linux GHSA-9qj4-wr4g-7m6f
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local unprivileged code execution (AV:L/PR:L); AC:H because it requires the unusual CLONE_VM-not-CLONE_THREAD pattern and winning a lifetime race; the UAF yields full C/I/A impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:38 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:28 cve.org
HIGH 7.8
CVE Published
Jun 24, 2026 - 16:28 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

futex: Drop CLONE_THREAD requirement for private default hash alloc

Currently need_futex_hash_allocate_default() depends on strict pthread semantics, abusing CLONE_THREAD. This breaks the non-concurrency assumptions when doing the mm->futex_ref pcpu allocations, leading to bugs[0] when sharing the mm in other ways; ie:

BUG: KASAN: slab-use-after-free in futex_hash_put

... where the +1 bias can end up on a percpu counter that mm->futex_ref no longer points at.

Loosen the check to cover any CLONE_VM clone, except vfork(). Excluding vfork keeps the existing paths untouched (no overhead), and we can't race in the first place: either the parent is suspended and the child runs alone, or mm->futex_ref is already allocated from an earlier CLONE_VM.

AnalysisAI

Local privilege escalation in the Linux kernel futex subsystem stems from a slab use-after-free in futex_hash_put, triggered when a process shares its mm via CLONE_VM without CLONE_THREAD. The flawed need_futex_hash_allocate_default() check broke the non-concurrency assumption for per-CPU mm->futex_ref allocation, letting a stale +1 bias land on a percpu counter the mm no longer references. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local unprivileged execution
Delivery
Clone with CLONE_VM minus CLONE_THREAD
Exploit
Exercise futex private-hash operations
Execution
Trigger use-after-free in futex_hash_put
Persist
Corrupt kernel slab memory
Impact
Escalate privileges to root

Vulnerability AssessmentAI

Exploitation Requires the attacker to already have local code execution as at least an unprivileged user (CVSS PR:L) on an affected kernel (~6.17 through the fix). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are internally consistent and point to a real-but-bounded local issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local unprivileged user runs a crafted program that clones with CLONE_VM but not CLONE_THREAD, sharing the address space outside a normal thread group, then exercises futex operations to free and re-bias the mm->futex_ref percpu counter. The resulting use-after-free in futex_hash_put corrupts kernel slab memory, which a skilled attacker can shape into privilege escalation. …
Remediation Upstream fix available (stable commits); patched versions are confirmed in the stable trees - update to a kernel containing commits 1dcd36420af2da5bd59306dba9caf78e3d248b1d / 974ac49a9a068b0591a59f65c63eb06579a13091 / ee9dce44362b2d8132c32964656ab6dff7dfbc6a (stable lines around 6.18.33 and the 7.0.10/7.1 series). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Linux systems running affected kernel versions through automated vulnerability scanning and asset inventory. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52973 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy