Skip to main content

Linux Kernel CVE-2026-53296

| EUVDEUVD-2026-39901 HIGH
Use After Free (CWE-416)
2026-06-26 Linux GHSA-h624-59g3-97r5
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.4 MEDIUM

Local vector; triggering a probe-error UAF needs module-load/hardware-binding control (PR:H) and a race-like error path (AC:H), but successful exploitation yields full kernel compromise (C/I/A:H).

3.1 AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 04:12 vuln.today
CVSS changed
Jul 08, 2026 - 04:07 NVD
7.8 (HIGH)
Patch available
Jun 26, 2026 - 21:02 EUVD
CVE Published
Jun 26, 2026 - 19:40 nvd
HIGH 7.8
CVE Published
Jun 26, 2026 - 19:40 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

mailbox: mailbox-test: free channels on probe error

On probe error, free the previously obtained channels. This not only prevents a leak, but also UAF scenarios because the client structure will be removed nonetheless because it was allocated with devm.

AnalysisAI

Use-after-free in the Linux kernel's mailbox-test debug driver (mailbox-test.c) allows a local privileged attacker to corrupt kernel memory when the driver's probe routine fails, because previously acquired mailbox channels are not released while the devm-allocated client structure is freed anyway. The flaw carries a CVSS of 7.8 with high confidentiality, integrity, and availability impact, but exploitation is local and requires the mailbox-test module to load and hit a probe error path. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local access to target host
Delivery
Ensure mailbox-test driver loads
Exploit
Force probe error after channel request
Execution
Trigger use-after-free on freed client
Persist
Groom kernel heap to control dangling reference
Impact
Escalate privileges or corrupt kernel memory

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) a kernel built with the mailbox-test driver (CONFIG_MAILBOX_TEST) present and loaded, and (2) the driver's probe routine hitting an error path after it has already obtained mailbox channels - for example due to a malformed or partially-satisfiable device-tree/ACPI mailbox binding. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) rates this 7.8 High, but all real-world signals point to modest priority: EPSS is 0.18% (7th percentile), the CVE is not on CISA KEV, and no POC is known. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker with the privileges needed to load kernel modules or influence mailbox device binding causes the mailbox-test driver to fail during probe after it has already acquired one or more channels; the freed devm-managed client is then referenced through the still-registered channel, yielding a use-after-free the attacker grooms toward kernel memory corruption and privilege escalation. Because the CVSS vector is AV:L/AC:L, exploitation is low-complexity but requires local access, and no public proof-of-concept is currently known.
Remediation Vendor-released patch: update to a fixed stable kernel - 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, or 7.0.10 or later, per your maintained branch, applying the commits at https://git.kernel.org/stable/c/6c6ce2ccb4fcf1617fec83f91b21aa0265f30701 and the sibling backports. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit your Linux systems to identify which hosts have the mailbox-test module loaded (lsmod | grep mailbox_test) and determine whether the module is required for production. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53296 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy