Skip to main content

CWE-667

Improper Locking

520 CVEs Avg CVSS 5.7 MITRE
2
CRITICAL
52
HIGH
458
MEDIUM
8
LOW
12
POC
2
KEV

Monthly

CVE-2026-53323 MEDIUM PATCH This Month

Deadlock in the Linux kernel's DSA (Distributed Switch Architecture) subsystem allows a local low-privileged user to hang the kernel network stack by running ethtool against a DSA-configured conduit interface. The DSA subsystem replaces the conduit device's ethtool_ops with aggregating wrappers, but these wrappers redundantly invoke netdev_lock_ops() on a lock already held by the kernel ethtool infrastructure, creating a classic double-lock deadlock. No public exploit exists and EPSS sits at 0.15% (5th percentile), though the issue is trivially reproducible with standard system tooling on affected configurations.

Linux Information Disclosure
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53304 MEDIUM PATCH This Month

Soft CPU lockup in the Linux kernel SCSI generic (sg) driver allows a local user to trigger a denial of service by writing an out-of-range value directly to the def_reserved_size sysfs module parameter, bypassing the validation enforced by sg_proc_write_dressz. Setting def_reserved_size to -1 via /sys/module/sg/parameters/def_reserved_size causes sg_build_reserve to enter a non-terminating allocation loop on the next open() of any /dev/sgX device, hanging the affected CPU core for 26+ seconds until the kernel watchdog fires. No public exploit code has been identified and EPSS probability is very low at 0.18%; patches are confirmed available across all active stable kernel branches.

Authentication Bypass Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53293 MEDIUM PATCH This Month

Improper locking in the Linux kernel's amdgpu DRM driver allows a local low-privileged user to trigger a kernel deadlock or system crash via the AMDGPU_INFO_READ_MMR_REG ioctl. Three distinct concurrency defects exist: inverted lock ordering between the reset semaphore and mm_lock (permitting copy_to_user() under lock), memory allocation while holding the reset semaphore, and use of down_read_trylock() where a blocking wait is required. No public exploit code has been identified and EPSS is 0.17%, placing this firmly in opportunistic-rather-than-targeted risk territory.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53231 MEDIUM PATCH This Month

Deadlock in the Linux kernel PHY networking subsystem (net/phy) allows a local low-privileged user to freeze the networking stack on systems using the generic PHY driver (genphy) with SFP cage hardware. When genphy triggers PHY probing - which occurs while holding the RTNL lock - it erroneously calls sfp_bus_add_upstream(), which itself attempts to acquire RTNL, producing a self-deadlock confirmed by reproduction. No public exploit exists and EPSS is 0.16% (6th percentile), reflecting that exploitation requires an uncommon hardware and driver combination.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53207 MEDIUM PATCH This Month

Recursive spinlock AA deadlock in the Linux kernel's hugetlb memory-failure subsystem allows a local user to hang or panic the kernel by racing two concurrent madvise(MADV_HWPOISON) calls against a concurrent unmap on the same hugetlb folio. The flaw exists because get_huge_page_for_hwpoison() held hugetlb_lock while calling folio_put(), which - when concurrent unmap had already dropped the page-table reference - triggered free_huge_folio() to re-acquire the non-recursive lock, causing an irrecoverable deadlock. No confirmed active exploitation exists (not in CISA KEV), and EPSS sits at 0.18% (8th percentile), indicating negligible real-world exploitation probability at this time.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53197 MEDIUM PATCH This Month

ABBA deadlock in the Linux kernel xfrm iptfs subsystem causes availability loss on SMP systems when iptfs state is destroyed while its timer callbacks are concurrently executing on another CPU. The vulnerability affects the IP Traffic Flow Secrecy (IPTFS) implementation within the kernel's xfrm IPsec framework, specifically during iptfs_destroy_state() - a function that acquires spinlocks before calling hrtimer_cancel(), creating a circular dependency with softirq timer callbacks that attempt to re-acquire those same locks. No public exploit code has been identified and EPSS is 0.17% (7th percentile), indicating this is a low-probability exploitation target; the impact is a kernel deadlock causing a system hang (DoS) with no confidentiality or integrity impact.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53180 HIGH PATCH This Week

Denial of service in the Linux kernel timer migration subsystem allows the global timer hierarchy to enter an indefinite livelock, hanging the affected CPU. The flaw is in tmigr_handle_remote_up(), where tmigr_handle_remote_cpu() skipped timer_expire_remote() for the local CPU on the assumption that the softirq path already serviced its timers; when jiffies advance between local timer processing and remote evaluation, a newly expired timer is never run and is re-queued with expires==now, spinning the goto-again loop forever. The CVSS 3.1 base score is 7.5 (availability only) but EPSS is just 0.18% (7th percentile), there is no public exploit identified at time of analysis, and the issue is not in CISA KEV.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-53037 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: fix deadlock in hid_post_reset() You can build a USB device that includes a HID component and a storage or UAS component. The components can be reset only together. That means that hid_pre_reset() and hid_post_reset() are in the block IO error handling. Hence no memory allocation used in them may do block IO because the IO can deadlock on the mutex held while resetting a device and calling the interface drivers. Use GFP_NOIO for all allocations in them.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53035 MEDIUM PATCH This Month

The Linux kernel's BPF sockmap subsystem deadlocks when a BPF iterator program iterating over AF_UNIX sockets via `bpf_iter_unix_seq_show()` simultaneously attempts to update a sockmap entry during the same execution context. When `lock_sock_fast()` takes the spinlock fast path and holds `slock-AF_UNIX`, any subsequent `sock_map_update_elem()` call within the BPF iterator program spins indefinitely attempting to re-acquire the same spinlock on the same CPU, causing an unrecoverable kernel deadlock and loss of system availability. This is not confirmed actively exploited (not in CISA KEV), no public exploit has been identified, and EPSS at 0.17% (7th percentile) confirms negligible current exploitation interest; the real-world risk is constrained to specialized BPF workloads with specific capability requirements.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52979 MEDIUM This Month

Race condition in the Linux kernel PSP network subsystem allows a local low-privileged attacker to crash the kernel through a TOCTOU flaw in device association creation. In `psp_assoc_device_get_locked()`, a device reference acquired under RCU becomes stale before the protecting lock is taken if `psp_dev_unregister()` completes concurrently, leaving the kernel operating on freed or invalid device state. No public exploit has been identified and EPSS stands at 0.17% (6th percentile), reflecting minimal active exploitation risk despite the well-characterized code-level race condition.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Deadlock in the Linux kernel's DSA (Distributed Switch Architecture) subsystem allows a local low-privileged user to hang the kernel network stack by running ethtool against a DSA-configured conduit interface. The DSA subsystem replaces the conduit device's ethtool_ops with aggregating wrappers, but these wrappers redundantly invoke netdev_lock_ops() on a lock already held by the kernel ethtool infrastructure, creating a classic double-lock deadlock. No public exploit exists and EPSS sits at 0.15% (5th percentile), though the issue is trivially reproducible with standard system tooling on affected configurations.

Linux Information Disclosure
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Soft CPU lockup in the Linux kernel SCSI generic (sg) driver allows a local user to trigger a denial of service by writing an out-of-range value directly to the def_reserved_size sysfs module parameter, bypassing the validation enforced by sg_proc_write_dressz. Setting def_reserved_size to -1 via /sys/module/sg/parameters/def_reserved_size causes sg_build_reserve to enter a non-terminating allocation loop on the next open() of any /dev/sgX device, hanging the affected CPU core for 26+ seconds until the kernel watchdog fires. No public exploit code has been identified and EPSS probability is very low at 0.18%; patches are confirmed available across all active stable kernel branches.

Authentication Bypass Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Improper locking in the Linux kernel's amdgpu DRM driver allows a local low-privileged user to trigger a kernel deadlock or system crash via the AMDGPU_INFO_READ_MMR_REG ioctl. Three distinct concurrency defects exist: inverted lock ordering between the reset semaphore and mm_lock (permitting copy_to_user() under lock), memory allocation while holding the reset semaphore, and use of down_read_trylock() where a blocking wait is required. No public exploit code has been identified and EPSS is 0.17%, placing this firmly in opportunistic-rather-than-targeted risk territory.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Deadlock in the Linux kernel PHY networking subsystem (net/phy) allows a local low-privileged user to freeze the networking stack on systems using the generic PHY driver (genphy) with SFP cage hardware. When genphy triggers PHY probing - which occurs while holding the RTNL lock - it erroneously calls sfp_bus_add_upstream(), which itself attempts to acquire RTNL, producing a self-deadlock confirmed by reproduction. No public exploit exists and EPSS is 0.16% (6th percentile), reflecting that exploitation requires an uncommon hardware and driver combination.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Recursive spinlock AA deadlock in the Linux kernel's hugetlb memory-failure subsystem allows a local user to hang or panic the kernel by racing two concurrent madvise(MADV_HWPOISON) calls against a concurrent unmap on the same hugetlb folio. The flaw exists because get_huge_page_for_hwpoison() held hugetlb_lock while calling folio_put(), which - when concurrent unmap had already dropped the page-table reference - triggered free_huge_folio() to re-acquire the non-recursive lock, causing an irrecoverable deadlock. No confirmed active exploitation exists (not in CISA KEV), and EPSS sits at 0.18% (8th percentile), indicating negligible real-world exploitation probability at this time.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

ABBA deadlock in the Linux kernel xfrm iptfs subsystem causes availability loss on SMP systems when iptfs state is destroyed while its timer callbacks are concurrently executing on another CPU. The vulnerability affects the IP Traffic Flow Secrecy (IPTFS) implementation within the kernel's xfrm IPsec framework, specifically during iptfs_destroy_state() - a function that acquires spinlocks before calling hrtimer_cancel(), creating a circular dependency with softirq timer callbacks that attempt to re-acquire those same locks. No public exploit code has been identified and EPSS is 0.17% (7th percentile), indicating this is a low-probability exploitation target; the impact is a kernel deadlock causing a system hang (DoS) with no confidentiality or integrity impact.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Linux kernel timer migration subsystem allows the global timer hierarchy to enter an indefinite livelock, hanging the affected CPU. The flaw is in tmigr_handle_remote_up(), where tmigr_handle_remote_cpu() skipped timer_expire_remote() for the local CPU on the assumption that the softirq path already serviced its timers; when jiffies advance between local timer processing and remote evaluation, a newly expired timer is never run and is re-queued with expires==now, spinning the goto-again loop forever. The CVSS 3.1 base score is 7.5 (availability only) but EPSS is just 0.18% (7th percentile), there is no public exploit identified at time of analysis, and the issue is not in CISA KEV.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: fix deadlock in hid_post_reset() You can build a USB device that includes a HID component and a storage or UAS component. The components can be reset only together. That means that hid_pre_reset() and hid_post_reset() are in the block IO error handling. Hence no memory allocation used in them may do block IO because the IO can deadlock on the mutex held while resetting a device and calling the interface drivers. Use GFP_NOIO for all allocations in them.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The Linux kernel's BPF sockmap subsystem deadlocks when a BPF iterator program iterating over AF_UNIX sockets via `bpf_iter_unix_seq_show()` simultaneously attempts to update a sockmap entry during the same execution context. When `lock_sock_fast()` takes the spinlock fast path and holds `slock-AF_UNIX`, any subsequent `sock_map_update_elem()` call within the BPF iterator program spins indefinitely attempting to re-acquire the same spinlock on the same CPU, causing an unrecoverable kernel deadlock and loss of system availability. This is not confirmed actively exploited (not in CISA KEV), no public exploit has been identified, and EPSS at 0.17% (7th percentile) confirms negligible current exploitation interest; the real-world risk is constrained to specialized BPF workloads with specific capability requirements.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Race condition in the Linux kernel PSP network subsystem allows a local low-privileged attacker to crash the kernel through a TOCTOU flaw in device association creation. In `psp_assoc_device_get_locked()`, a device reference acquired under RCU becomes stale before the protecting lock is taken if `psp_dev_unregister()` completes concurrently, leaving the kernel operating on freed or invalid device state. No public exploit has been identified and EPSS stands at 0.17% (6th percentile), reflecting minimal active exploitation risk despite the well-characterized code-level race condition.

Linux Information Disclosure
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy