Skip to main content

Linux Kernel CVE-2026-53050

| EUVDEUVD-2026-38918 HIGH
2026-06-24 Linux GHSA-4mf5-rjc5-62qc
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local low-priv access with no UI; AC:H because the UAF requires winning a narrow race under memory pressure; high CIA from kernel memory corruption.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:57 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:29 cve.org
HIGH 7.8
CVE Published
Jun 24, 2026 - 16:29 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

quota: Fix race of dquot_scan_active() with quota deactivation

dquot_scan_active() can race with quota deactivation in quota_release_workfn() like:

CPU0 (quota_release_workfn) CPU1 (dquot_scan_active) ====== ====== spin_lock(&dq_list_lock); list_replace_init( &releasing_dquots, &rls_head); /* dquot X on rls_head, dq_count == 0, DQ_ACTIVE_B still set */ spin_unlock(&dq_list_lock); synchronize_srcu(&dquot_srcu); spin_lock(&dq_list_lock); list_for_each_entry(dquot, &inuse_list, dq_inuse) { /* finds dquot X */ dquot_active(X) -> true atomic_inc(&X->dq_count); } spin_unlock(&dq_list_lock); spin_lock(&dq_list_lock); dquot = list_first_entry(&rls_head); WARN_ON_ONCE(atomic_read(&dquot->dq_count));

The problem is not only a cosmetic one as under memory pressure the caller of dquot_scan_active() can end up working on freed dquot.

Fix the problem by making sure the dquot is removed from releasing list when we acquire a reference to it.

AnalysisAI

Local privilege escalation and memory-corruption risk in the Linux kernel disk quota subsystem arises from a use-after-free race between dquot_scan_active() and quota deactivation in quota_release_workfn(). On affected kernels (multiple stable trees from 4.19 through 6.x/7.x), a dquot can be acquired by the scan path after being placed on the releasing list with dq_count==0, so under memory pressure the caller may operate on a freed dquot, corrupting kernel memory. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local low-privilege shell
Delivery
Ensure quota subsystem active on target FS
Exploit
Induce memory pressure and concurrent quota ops
Execution
Win race in dquot_scan_active() vs release
Persist
Trigger use-after-free on freed dquot
Impact
Corrupt kernel memory / escalate privileges

Vulnerability AssessmentAI

Exploitation Requires local access with low (non-root) privileges on a Linux host where the disk quota subsystem is active - i.e., a filesystem mounted with quotas enabled (usrquota/grpquota) and quota accounting on. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mostly consistent and point to a genuine-but-not-urgent local issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user with low privileges on a multi-user Linux system that has disk quotas enabled drives concurrent quota activity (e.g., repeated quota operations) while inducing memory pressure to widen the race window between the scan and release paths. The attacker triggers dquot_scan_active() to take a reference on a dquot already on the releasing list, causing a use-after-free that can corrupt kernel memory and potentially escalate privileges. …
Remediation Apply the vendor-released patch by upgrading to a fixed kernel for your branch: 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1 (or later within each series), then reboot; on enterprise distributions install the corresponding distro kernel update that backports these commits. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit production systems to identify affected kernel versions (4.19 through 6.x and 7.x series) and prioritize critical infrastructure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53050 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy