Skip to main content

Linux Kernel CVE-2026-53059

| EUVDEUVD-2026-38927 MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-06-24 Linux GHSA-vj88-ppr4-hj46
6.3
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
6.3 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
6.4 MEDIUM

Local only (AV:L); triggering needs a contrived oversized dm target (AC:H) and CAP_SYS_ADMIN to create dm targets (PR:H); heap corruption yields full kernel CIA impact, scope unchanged.

3.1 AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

7
Severity Changed
Jul 02, 2026 - 12:22 NVD
HIGH MEDIUM
CVSS changed
Jul 02, 2026 - 12:22 NVD
7.0 (HIGH) 6.3 (MEDIUM)
Analysis Generated
Jun 30, 2026 - 05:30 vuln.today
CVSS changed
Jun 30, 2026 - 03:24 NVD
7.0 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:30 cve.org
HIGH 7.0
CVE Published
Jun 24, 2026 - 16:30 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

dm log: fix out-of-bounds write due to region_count overflow

The local variable region_count in create_log_context() is declared as unsigned int (32-bit), but dm_sector_div_up() returns sector_t (64-bit). When a device-mapper target has a sufficiently large ti->len with a small region_size, the division result can exceed UINT_MAX. The truncated value is then used to calculate bitset_size, causing clean_bits, sync_bits, and recovering_bits to be allocated far smaller than needed for the actual number of regions.

Subsequent log operations (log_set_bit, log_clear_bit, log_test_bit) use region indices derived from the full untruncated region space, causing out-of-bounds writes to kernel heap memory allocated by vmalloc.

This can be reproduced by creating a mirror target whose region_count overflows 32 bits:

dmsetup create bigzero --table '0 8589934594 zero' dmsetup create mymirror --table '0 8589934594 mirror \ core 2 2 nosync 2 /dev/mapper/bigzero 0 \ /dev/mapper/bigzero 0'

The status output confirms the truncation (sync_count=1 instead of 4294967297, because 0x100000001 was truncated to 1):

$ dmsetup status mymirror 0 8589934594 mirror 2 254:1 254:1 1/4294967297 ...

This leads to a kernel crash in core_in_sync:

BUG: scheduling while atomic: (udev-worker)/9150/0x00000000 RIP: 0010:core_in_sync+0x14/0x30 [dm_log] CR2: 0000000000000008 Fixing recursive fault but reboot is needed!

Fix by widening the local region_count to sector_t and adding an explicit overflow check before the value is assigned to lc->region_count.

AnalysisAI

Out-of-bounds kernel heap write in the Linux kernel's device-mapper dm-log module (dm_log) lets a privileged local actor corrupt vmalloc-allocated memory by overflowing a 32-bit region_count. In create_log_context(), dm_sector_div_up() returns a 64-bit sector_t that is truncated into an unsigned int, so a dm target with very large ti->len and small region_size under-allocates the clean_bits/sync_bits/recovering_bits bitsets while later log operations index the full untruncated region space. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain CAP_SYS_ADMIN in namespace/container
Delivery
Create oversized dm mirror target via dmsetup
Exploit
Overflow 32-bit region_count truncates bitset allocation
Execution
Trigger log bit operations indexing full region space
Persist
Out-of-bounds write into vmalloc kernel heap
Impact
Kernel crash or controlled heap corruption for privilege escalation

Vulnerability AssessmentAI

Exploitation Exploitation requires local privileged access sufficient to create a device-mapper target (dmsetup create), which on stock systems means CAP_SYS_ADMIN. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are consistent and point to a real but bounded local issue rather than an internet-facing emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with CAP_SYS_ADMIN inside a privileged container or compromised low-trust service uses dmsetup to create a mirror target over a multi-terabyte zero device with a small region_size, forcing region_count past 2^32 (the public reproducer demonstrates exactly this with an 8589934594-sector table). The truncated bitset allocation then drives out-of-bounds writes into kernel heap during log bit operations, crashing the kernel and potentially enabling controlled heap corruption for privilege escalation or container-to-host escape. …
Remediation Vendor-released patch: upgrade to the fixed stable kernel for your branch - 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1 (or your distribution's backported build; track Red Hat at https://access.redhat.com/security/cve/CVE-2026-53059). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and catalog all Linux systems running device-mapper in your infrastructure (storage servers, LVM deployments, container platforms); contact your Linux distribution vendor for patch availability. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53059 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy