Skip to main content

Linux Kernel CVE-2026-53185

| EUVDEUVD-2026-39276 HIGH
Signal Handler Race Condition (CWE-364)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-4pqw-3h25-qrq3
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local low-priv access to the zram device (AV:L/PR:L); AC:H because it requires the non-default admin-configured writeback backing device; kernel UAF yields full C/I/A impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:25 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

zram: fix use-after-free in zram_bvec_write_partial()

zram_read_page() picks the sync or async backing device read path based on whether the parent bio is NULL. zram_bvec_write_partial() passes its parent bio down, so for ZRAM_WB slots the read is dispatched asynchronously and zram_read_page() returns 0 while the bio is still in flight. The caller then runs memcpy_from_bvec(), zram_write_page() and __free_page() on the buffer, leaving the async read to write into a freed page.

zram_bvec_read_partial() was switched to NULL in commit 4e3c87b9421d ("zram: fix synchronous reads") for the same reason; the write_partial counterpart was missed.

AnalysisAI

Use-after-free in the Linux kernel zram block-device driver allows local attackers to corrupt freed kernel page memory when a zram device is configured with a writeback (ZRAM_WB) backing device. The flaw is in zram_bvec_write_partial(), which passes its parent bio into zram_read_page(), causing the backing-device read to be dispatched asynchronously and return before completion; the buffer is then copied, rewritten, and freed while the in-flight read still writes into it. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local access to zram-backed device
Delivery
Identify slots evicted to writeback backing device
Exploit
Issue partial sub-page write triggering async read
Execution
Buffer freed while read in flight
Persist
Async read corrupts freed page
Impact
Escalate privileges or disclose kernel memory

Vulnerability AssessmentAI

Exploitation Exploitation requires the zram device to be configured with a writeback backing device (ZRAM_WB) - set via /sys/block/zramX/backing_dev - which is not the default zram configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, 7.8) describes a local, low-privilege flaw with full CIA impact consistent with a kernel UAF that can lead to memory disclosure or privilege escalation (the source tag 'Information Disclosure' aligns with leaking freed-page contents). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a system where an administrator has configured zram with a writeback backing device, a local user with write access to the zram-backed block device or filesystem issues sub-page (partial) writes that target slots already evicted to the backing device. The kernel dispatches the backing read asynchronously and frees the page buffer before the read completes, so the in-flight read writes into freed memory, giving the attacker a use-after-free primitive usable for information disclosure or privilege escalation. …
Remediation Vendor-released patch: upgrade to a fixed Linux stable release - 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1, whichever matches your branch (commits at https://git.kernel.org/stable/c/0c2821665ff71be3f4b07ecece384669f2877f6a and the related stable hashes). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify Linux systems with zram writeback enabled by checking for ZRAM_WB configuration in running kernels and filesystem mounts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53185 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy