Skip to main content

Linux Kernel CVE-2026-53273

| EUVDEUVD-2026-39224 HIGH
Use After Free (CWE-416)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-q972-3fgv-wchc
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local, low-priv access to the TEE device (AV:L/PR:L); exploitation hinges on winning a client-vs-supplicant race so AC:H; kernel UAF yields high C/I/A within the unchanged scope.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:50 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.8
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

tee: optee: prevent use-after-free when the client exits before the supplicant

Commit 70b0d6b0a199 ("tee: optee: Fix supplicant wait loop") made the client wait as killable so it can be interrupted during shutdown or after a supplicant crash. This changes the original lifetime expectations: the client task can now terminate while the supplicant is still processing its request.

If the client exits first it removes the request from its queue and kfree()s it, while the request ID remains in supp->idr. A subsequent lookup on the supplicant path then dereferences freed memory, leading to a use-after-free.

Serialise access to the request with supp->mutex:

  • Hold supp->mutex in optee_supp_recv() and optee_supp_send() while

looking up and touching the request.

  • Let optee_supp_thrd_req() notice that the client has terminated and

signal optee_supp_send() accordingly.

With these changes the request cannot be freed while the supplicant still has a reference, eliminating the race.

AnalysisAI

Local privilege escalation or kernel memory corruption in the Linux kernel's OP-TEE (Trusted Execution Environment) driver arises from a use-after-free in the supplicant request path on ARM TrustZone systems. After commit 70b0d6b0a199 made the client wait killable, a client task can exit and kfree() its request while its ID still lives in supp->idr, so a later supplicant lookup dereferences freed memory. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local access to TEE-enabled host
Delivery
Open OP-TEE device and submit supplicant request
Exploit
Kill client task mid-processing to free request
Execution
Trigger supplicant lookup of dangling idr entry
Persist
Reclaim freed memory with controlled data
Impact
Corrupt kernel state for DoS or privilege escalation

Vulnerability AssessmentAI

Exploitation Exploitation requires local access to a Linux system that is running OP-TEE on ARM TrustZone hardware with the kernel optee driver loaded and a tee-supplicant userspace daemon active - the bug cannot be triggered on kernels built without CONFIG_OPTEE or on systems lacking a TEE. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, 7.8 HIGH) describes a locally exploitable, low-privilege issue with high impact to confidentiality, integrity and availability - consistent with a kernel use-after-free that can escalate to code execution, though the supplied tags label it 'Denial Of Service'. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local low-privileged user with access to the TEE device opens a session and issues a supplicant-serviced request, then deliberately kills the client task while tee-supplicant is still processing it, freeing the request object while its ID remains in supp->idr. By timing a subsequent supplicant lookup against reallocation of the freed memory, the attacker corrupts kernel state to crash the system or attempt privilege escalation. …
Remediation Vendor-released patch: upgrade to a fixed stable kernel for your branch - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, or 6.18.36 (or later, e.g. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running Linux kernel with OP-TEE driver support, particularly ARM-based infrastructure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53273 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy