Skip to main content

Linux Kernel EUVDEUVD-2026-38888

| CVE-2026-53020 HIGH
Race Condition (CWE-362)
2026-06-24 Linux GHSA-m33q-f5vx-jwmj
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local access and low privilege are required (AV:L/PR:L); as a timing race condition AC:H is more honest than the vendor's AC:L, while page-table corruption yields full C/I/A impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:51 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:29 cve.org
HIGH 7.8
CVE Published
Jun 24, 2026 - 16:29 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

um: Fix potential race condition in TLB sync

During the TLB sync, we need to traverse and modify the page table, so we should hold the page table lock. Since full SMP support for threads within the same process is still missing, let's disable the split page table lock for simplicity.

AnalysisAI

Local privilege escalation or memory disclosure is possible in the User Mode Linux (UML/'um') architecture of the Linux kernel (affected around 6.19, fixed in 7.0.10 and 7.1) due to a TLB-sync race condition where the page table is traversed and modified without holding the page table lock. Concurrent threads in the same process can corrupt page table state, with CVSS 7.8 (local, low-privilege) and a high-impact triad; there is no public exploit identified at time of analysis and EPSS is low at 0.15% (5th percentile), consistent with a hard-to-trigger local race rather than a mass-exploited flaw.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local execution inside UML instance
Delivery
Spawn concurrent threads in same process
Exploit
Hammer TLB sync to race page-table walk
Execution
Corrupt unlocked page table state
Impact
Escalate privileges or disclose memory

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target be running the User Mode Linux (um) architecture build of the kernel and that the attacker already has local low-privilege code execution (PR:L) able to spawn multiple threads within the same UML process to concurrently trigger the TLB sync path and race the page-table modification. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 7.8) reflects a high-impact local issue requiring some privilege but no user interaction, however the underlying defect is a race condition, which in practice raises real-world attack complexity above the AC:L the vendor score assigns - exploitation requires winning a timing window between concurrent threads. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user with the ability to run code inside a User Mode Linux instance launches multiple threads in the same process and repeatedly triggers TLB synchronization to race the unlocked page-table traversal, corrupting page table state to escalate privileges or read memory they should not access. Given AV:L/PR:L and the AC:L score, no user interaction is needed, but as a timing race it may require many attempts to win the window. …
Remediation Apply the vendor-released patch by upgrading to a fixed Linux kernel build - stable patch level 7.0.10 or the 7.1 series - which incorporate stable commits f21c343ec7419377bff89ab11146c03ae117036f and 102331b66bcaf1f41f50b9c4cd5c36e46bafa9f3 that disable the split page table lock to serialize TLB-sync page-table access; obtain these from https://git.kernel.org/stable/c/f21c343ec7419377bff89ab11146c03ae117036f and the advisory at https://nvd.nist.gov/vuln/detail/CVE-2026-53020. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory systems running User Mode Linux architecture, particularly kernel versions 6.19 through 7.0.9. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38888 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy