Skip to main content

Linux Kernel CVE-2026-53062

| EUVDEUVD-2026-38930 HIGH
2026-06-24 Linux GHSA-4j2m-gfqm-629p
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local-only access to a privileged dm-cache device (AV:L/PR:L); timing-dependent concurrent-invalidation race justifies AC:H; kernel use-after-free yields full C/I/A impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:00 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:30 cve.org
HIGH 7.8
CVE Published
Jun 24, 2026 - 16:30 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

dm cache policy smq: fix missing locks in invalidating cache blocks

In passthrough mode, the policy invalidate_mapping operation is called simultaneously from multiple workers, thus it should be protected by a lock. Otherwise, we might end up with data races on the allocated blocks counter, or even use-after-free issues with internal data structures when doing concurrent writes.

Note that the existing FIXME in smq_invalidate_mapping() doesn't affect passthrough mode since migration tasks don't exist there, but would need attention if supporting fast device shrinking via suspend/resume without target reloading.

Reproduce steps:

  1. Create a cache device consisting of 1024 cache entries

dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 131072 linear /dev/sdc 8192" dmsetup create corig --table "0 262144 linear /dev/sdc 262144" dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct dmsetup create cache --table "0 262144 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"

  1. Populate the cache, and record the number of cached blocks

fio --name=populate --filename=/dev/mapper/cache --rw=randwrite --bs=4k \ --size=64m --direct=1 nr_cached=$(dmsetup status cache | awk '{split($7, a, "/"); print a[1]}')

  1. Reload the cache into passthrough mode

dmsetup suspend cache dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0" dmsetup resume cache

  1. Write to the passthrough cache. By setting multiple jobs with I/O

size equal to the cache block size, cache blocks are invalidated concurrently from different workers.

fio --filename=/dev/mapper/cache --name=test --rw=randwrite --bs=64k \ --direct=1 --numjobs=2 --randrepeat=0 --size=64m

  1. Check if demoted matches cached block count. These numbers should

match but may differ due to the data race.

nr_demoted=$(dmsetup status cache | awk '{print $12}') echo "$nr_cached, $nr_demoted"

AnalysisAI

Concurrent cache-block invalidation in the Linux kernel's device-mapper dm-cache smq policy (running in passthrough mode) corrupts shared state because the invalidate_mapping operation is invoked from multiple workers without locking. This produces data races on the allocated-blocks counter and use-after-free conditions in internal data structures during concurrent writes, enabling local memory corruption with potential for privilege escalation or denial of service. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local write access to passthrough dm-cache device
Delivery
Launch concurrent block-aligned write jobs
Exploit
Trigger unlocked simultaneous invalidate_mapping calls
Execution
Race corrupts block counter and frees in-use structures
Persist
Use-after-free in kernel memory
Impact
Crash or escalate privileges

Vulnerability AssessmentAI

Exploitation Requires a dm-cache device explicitly configured/reloaded into passthrough mode using the smq cache policy (the vendor reproducer reloads the cache table with the 'passthrough smq' arguments), and the attacker must be able to issue concurrent writes to that cache device - multiple workers performing block-size-aligned writes so that cache blocks are invalidated simultaneously. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely consistent and point to a genuine but low-likelihood local issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user or process with the ability to issue writes to a dm-cache block device that an administrator has placed in passthrough mode with the smq policy launches multiple concurrent block-aligned write jobs (e.g. fio with numjobs=2 at the cache block size). …
Remediation Vendor-released patch: upgrade to a fixed kernel for your branch - 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1 or later - via your distribution's kernel update channel; the fix adds the missing policy lock around cache-block invalidation. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify Linux systems using device-mapper cache (dm-cache) functionality and confirm patch availability from your distribution vendor. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53062 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy