Skip to main content

Linux Kernel CVE-2026-53282

| EUVDEUVD-2026-39887 MEDIUM
2026-06-26 Linux GHSA-865v-r97p-c9pq
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.4 MEDIUM

Invoking kexec_load requires CAP_SYS_BOOT (root), justifying PR:H over the provided PR:L; impact is pure availability disruption with no C or I.

3.1 AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 04:22 vuln.today
CVSS changed
Jul 08, 2026 - 04:07 NVD
5.5 (MEDIUM)
Patch available
Jun 26, 2026 - 21:02 EUVD
CVE Published
Jun 26, 2026 - 19:40 nvd
MEDIUM 5.5
CVE Published
Jun 26, 2026 - 19:40 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

x86/kexec: Push kjump return address even for non-kjump kexec

The version of purgatory code shipped by kexec-tools attempts to look above the top of its stack to find a return address for a kjump, even in a non-kjump kexec.

After the commit in Fixes: the word above the stack might not be there, leading to a fault (which is at least now caught by my exception-handling code in kexec).

That commit fixed things for the actual kjump path, but no longer "gratuitously" pushes the unused return address to the stack in the non-kjump path. Put that *back* in the non-kjump path, to prevent purgatory from crashing when trying to access it.

AnalysisAI

Stack access fault in the x86/kexec purgatory handoff crashes non-kjump kexec operations on affected Linux kernel versions, resulting in a local denial of service. A prior regression removed a 'gratuitous' stack push in the non-kjump path; however, the purgatory code shipped by kexec-tools still reads above its stack top expecting that return address, triggering a memory fault that aborts the kexec reboot or crashes the system. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain root or CAP_SYS_BOOT on target
Delivery
Invoke kexec_load for non-kjump reboot
Exploit
Purgatory reads above stack top for return address
Execution
Memory access fault triggers
Impact
kexec transition fails, system crashes (DoS)

Vulnerability AssessmentAI

Exploitation Exploitation requires local access and CAP_SYS_BOOT (root-equivalent) to invoke the kexec_load system call. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) captures the local, availability-only nature of the flaw accurately, though PR:L likely underestimates the privilege bar - invoking kexec_load typically requires CAP_SYS_BOOT, effectively root, which aligns better with PR:H. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A system administrator or privileged local process invokes kexec to reboot into a new kernel using the standard non-kjump path. During the handoff, the kexec-tools purgatory code reads one word above its own stack top expecting a kjump return address that the kernel no longer pushes. …
Remediation Upgrade to a fixed kernel version: Linux 7.1, 7.0.10, or 6.18.33, all of which restore the missing stack push in the non-kjump kexec path. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53282 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy