Skip to main content

Linux Kernel CVE-2026-53199

| EUVDEUVD-2026-39290 HIGH
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-69hj-phjm-g9c3
7.5
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

Fault triggers on the guest's own transmit path under a narrow 32-bit HIGHMEM Hyper-V config, so AV:L/AC:H/PR:L; impact is a kernel crash only, hence A:H with C:N/I:N.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:30 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.5 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf

netvsc_copy_to_send_buf() copies page buffer entries into the VMBus send buffer using phys_to_virt() on the entry PFN. Entries for the RNDIS header and the skb linear data come from kmalloc'd memory and are always in the kernel direct map, but entries for skb fragments reference page cache or user pages, which on 32-bit x86 with CONFIG_HIGHMEM=y can live above the LOWMEM boundary. For such a page phys_to_virt() returns an address outside the direct map and the subsequent memcpy() faults on the transmit softirq path, which is fatal.

Map the pages with kmap_local_page() instead, handling two properties of the page buffer entries:

  • pb[i].pfn is a Hyper-V PFN at HV_HYP_PAGE_SIZE (4K) granularity,

not a native PFN. Reconstruct the physical address first and derive the native page from it, so the mapping stays correct where PAGE_SIZE > HV_HYP_PAGE_SIZE (e.g. arm64 with 64K pages).

  • Since commit 41a6328b2c55 ("hv_netvsc: Preserve contiguous PFN

grouping in the page buffer array"), an entry describes a full physically contiguous fragment and pb[i].len can exceed PAGE_SIZE, while kmap_local_page() maps a single page. Copy page by page, splitting at native page boundaries.

The copy path only handles packets smaller than the send section size (6144 bytes by default); larger packets take the cp_partial path where only the RNDIS header is copied. So entries here are bounded by the section size and a copy is split at most once on 4K-page systems. On !CONFIG_HIGHMEM configs kmap_local_page() folds to page_address() and no mapping work is added.

AnalysisAI

Denial of service in the Linux kernel's Hyper-V netvsc network driver (hv_netvsc) allows a system crash when transmitting packets whose skb fragments reference high memory. On 32-bit x86 builds with CONFIG_HIGHMEM=y, netvsc_copy_to_send_buf() calls phys_to_virt() on fragment PFNs that may live above the LOWMEM boundary, producing an address outside the kernel direct map; the following memcpy() faults fatally on the transmit softirq path. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Run 32-bit x86 HIGHMEM guest on Hyper-V
Delivery
Generate outbound traffic with highmem-backed fragments
Exploit
hv_netvsc calls phys_to_virt on highmem PFN
Execution
memcpy faults on transmit softirq
Impact
Kernel crash / guest DoS

Vulnerability AssessmentAI

Exploitation Exploitation requires a Linux guest running the hv_netvsc driver under Hyper-V, built for 32-bit x86 with CONFIG_HIGHMEM=y, and a transmit path where skb fragments reference page-cache or user pages residing above the LOWMEM boundary (high memory). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/A:H, score 7.5) rates this as a network, no-privilege, availability-only issue, but the description indicates the fault occurs on the guest's outbound transmit softirq path and is contingent on a specific, now-uncommon build configuration (32-bit x86 with CONFIG_HIGHMEM=y) running as a Hyper-V guest - this conflicts with a clean AV:N/AC:L reading and points to a much narrower, lower-likelihood condition than the headline score suggests. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a 32-bit x86 Linux VM with CONFIG_HIGHMEM running under Hyper-V, a local user or workload generates network output (e.g. a large file transfer or sendfile-based traffic) whose skb fragments map page-cache or user pages located in high memory. …
Remediation Vendor-released patch: upgrade to a fixed Linux stable release for your branch - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 7.0.13, or 7.1 (or later), referencing the stable commits at https://git.kernel.org/stable/c/fe7221b4346418d27ec2daccfc09df6692b76f0b and the others listed in the advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory 32-bit x86 Linux systems running on Hyper-V infrastructure to establish scope. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53199 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy