Skip to main content

Linux Kernel CVE-2026-53265

| EUVDEUVD-2026-39216 HIGH
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-257g-7vrp-j9f8
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.3 MEDIUM

Local low-priv access (AV:L/PR:L); race timing makes AC:H; impact is memory corruption causing integrity/availability loss (I:H/A:H) with no real disclosure (C:N).

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:48 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.8
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

dm cache policy smq: check allocation under invalidate lock

commit 2d1f7b65f5de ("dm cache policy smq: fix missing locks in invalidating cache blocks") added mq->lock around the destructive part of smq_invalidate_mapping(), but left the e->allocated check outside the critical section.

That leaves a check-then-act race. Two concurrent invalidators can both observe e->allocated as true before either of them takes mq->lock. The first invalidator that acquires the lock removes the entry from the queues and hash table and then calls free_entry(), which clears e->allocated and puts the entry back on the free list. The second invalidator can then acquire mq->lock and continue with the stale result of the unlocked check.

This can corrupt the SMQ queues or hash table by deleting an entry that is no longer on those structures. It can also hit the allocation check in free_entry() when the same entry is freed again.

Move the allocation check under mq->lock so the predicate and the destructive operations are serialized by the same lock.

AnalysisAI

Local privilege-escalation/memory-corruption in the Linux kernel device-mapper dm-cache 'smq' policy allows a low-privileged local user to trigger a check-then-act race in smq_invalidate_mapping(). The e->allocated predicate was evaluated outside mq->lock, so two concurrent cache-block invalidators can both see an entry as allocated and free it twice, corrupting the SMQ queues/hash table and tripping the allocation assertion in free_entry(). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local low-privileged access
Delivery
Reach dm-cache smq invalidation path
Exploit
Race two concurrent invalidators on one entry
Execution
Double-free entry, corrupt SMQ queues/hash
Impact
Kernel panic or escalation

Vulnerability AssessmentAI

Exploitation Exploitation requires the system to be running the device-mapper dm-cache target configured with the smq cache replacement policy, and the attacker must be a local low-privileged user (CVSS PR:L) able to initiate concurrent cache-block invalidation operations on that cache. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mostly consistent in pointing to a real but not urgent issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a host using dm-cache with the smq policy, a low-privileged local user with the ability to trigger cache-block invalidations races two concurrent invalidation operations against the same entry. Both observe the entry as allocated before either takes mq->lock, leading to a double free_entry() and corruption of the SMQ queues/hash table - crashing the kernel or potentially enabling further escalation. …
Remediation Apply the vendor-released stable kernel update for your tree: upgrade to 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, or 7.0.13 (or later) as appropriate, which moves the e->allocated allocation check under mq->lock so the predicate and destructive operations are serialized. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all Linux systems using device-mapper dm-cache and identify kernel versions in use. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53265 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy