Skip to main content

Linux Kernel CVE-2026-53190

| EUVDEUVD-2026-39281 MEDIUM
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-vc55-8273-pjx9
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access inside a virtio-gpu VM with low privileges needed to trigger the fence error path; only availability impact from progressive memory leak.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 06, 2026 - 12:55 vuln.today
CVSS changed
Jul 06, 2026 - 12:52 NVD
5.5 (MEDIUM)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 nvd
MEDIUM 5.5
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

drm/virtio: fix dma_fence refcount leak on error in virtio_gpu_dma_fence_wait()

dma_fence_unwrap_for_each() internally calls dma_fence_unwrap_first() which does cursor->chain = dma_fence_get(head), taking an extra reference. On normal loop completion, dma_fence_unwrap_next() releases this via dma_fence_chain_walk() -> dma_fence_put().

When virtio_gpu_do_fence_wait() fails and the function returns early from inside the loop, the cursor->chain reference is never released. This is the only caller in the entire kernel that does an early return inside dma_fence_unwrap_for_each.

Add dma_fence_put(itr.chain) before the early return.

AnalysisAI

Reference-count leak in the Linux kernel's drm/virtio GPU driver allows a local low-privilege user inside a QEMU/KVM virtual machine to gradually exhaust kernel memory, causing a guest denial of service. The bug exists in virtio_gpu_dma_fence_wait(), where an early error return from inside dma_fence_unwrap_for_each() leaves a dma_fence reference acquired by dma_fence_unwrap_first() unreleased - the only such early-return site in the entire kernel tree. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain low-privilege local shell inside virtio-gpu VM
Delivery
Submit GPU commands triggering fence-chain iteration
Exploit
Force error return in virtio_gpu_do_fence_wait() mid-loop
Install
dma_fence reference leaks on early exit
C2
Repeat invocations accumulate leaked references
Execute
Kernel memory exhausted
Impact
VM guest denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires the target to be a virtual machine with a virtio-gpu paravirtual GPU device actively assigned (QEMU/KVM configuration). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 5.5 Medium score (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) is consistent with the described behavior: local exploitation requiring low privileges, with impact limited to availability (memory exhaustion) and no confidentiality or integrity compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local low-privilege user inside a QEMU/KVM VM with an active virtio-gpu device crafts GPU workloads designed to trigger an error return from virtio_gpu_do_fence_wait() during fence-chain iteration. Each failed call leaks one dma_fence reference; the attacker repeats this in a loop until cumulative unreleased references exhaust the guest kernel's memory, resulting in an out-of-memory condition and guest denial of service. …
Remediation Update the Linux kernel to a patched stable release corresponding to the deployed branch: 7.0.13, 6.18.36, 6.12.94, or 6.6.143, or any 7.1 final release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53190 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy