Skip to main content

Linux Kernel EUVDEUVD-2026-38892

| CVE-2026-53024 HIGH
Use After Free (CWE-416)
2026-06-24 Linux GHSA-xg88-j2c7-g852
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
4.7 MEDIUM

Local chardev access (AV:L, PR:L); exploitation requires winning a write/disconnect race (AC:H); demonstrated impact is a kernel panic/DoS only (A:H, C:N/I:N).

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:52 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:29 cve.org
HIGH 7.8
CVE Published
Jun 24, 2026 - 16:29 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

greybus: raw: fix use-after-free if write is called after disconnect

If a user writes to the chardev after disconnect has been called, the kernel panics with the following trace (with CONFIG_INIT_ON_FREE_DEFAULT_ON=y):

BUG: kernel NULL pointer dereference, address: 0000000000000218 ... Call Trace: <TASK> gb_operation_create_common+0x61/0x180 gb_operation_create_flags+0x28/0xa0 gb_operation_sync_timeout+0x6f/0x100 raw_write+0x7b/0xc7 [gb_raw] vfs_write+0xcf/0x420 ? task_mm_cid_work+0x136/0x220 ksys_write+0x63/0xe0 do_syscall_64+0xa4/0x290 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Disconnect calls gb_connection_destroy, which ends up freeing the connection object. When gb_operation_sync is called in the write file operations, its gets a freed connection as parameter and the kernel panics.

The gb_connection_destroy cannot be moved out of the disconnect function, as the Greybus subsystem expect all connections belonging to a bundle to be destroyed when disconnect returns.

To prevent this bug, use a rw lock to synchronize access between write and disconnect. This guarantees that the write function doesn't try to use a disconnected connection.

AnalysisAI

Local privilege-level denial of service in the Linux kernel's Greybus 'raw' character device driver (gb_raw) allows a user with access to the chardev to trigger a use-after-free by writing to the device after a disconnect has freed the underlying gb_connection object, causing a kernel NULL pointer dereference and panic (observed reliably with CONFIG_INIT_ON_FREE_DEFAULT_ON=y). The flaw is a race between the raw_write() path calling gb_operation_sync_timeout() and gb_connection_destroy() running during disconnect. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local access with rights to Greybus raw chardev
Delivery
Open /dev raw device and prepare write
Exploit
Race write() against Greybus device disconnect
Execution
raw_write reuses freed gb_connection (use-after-free)
Impact
NULL pointer dereference triggers kernel panic (DoS)

Vulnerability AssessmentAI

Exploitation Requires the Greybus 'raw' driver (gb_raw) to be loaded and its character device present and accessible, plus a local account with permission to write() to that chardev (PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) rates this High, but the supporting signals point to a more contained denial-of-service issue than the full C:H/I:H/A:H triad implies: the reproduction is a kernel NULL pointer dereference panic, and the intelligence tags explicitly label it 'Denial Of Service'. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user with read/write access to the Greybus raw character device opens it and, during or immediately after the corresponding Greybus device/bundle is removed (disconnect), issues a write() so that raw_write() calls into gb_operation_sync_timeout() with a connection object that gb_connection_destroy() has just freed. The freed-then-reused (zeroed under CONFIG_INIT_ON_FREE_DEFAULT_ON) connection triggers a NULL pointer dereference and kernel panic, taking the system down. …
Remediation Patch available per vendor advisory: apply the upstream stable fixes at commits https://git.kernel.org/stable/c/84265cbd96b97058ef67e3f8be3933667a000835 and https://git.kernel.org/stable/c/48d6c32bc049abd114e8f0836c0e7d7cbfba7827, which add a reader-writer lock to serialize raw_write() against disconnect; consume them via your distribution's patched kernel package rather than hand-applying where possible (a released, tagged kernel version is not independently confirmed from the input data). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory systems running Linux kernels with Greybus module enabled and CONFIG_INIT_ON_FREE_DEFAULT_ON=y enabled; review access controls to /dev/gb_raw* character devices. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38892 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy