Skip to main content

Linux Kernel EUVDEUVD-2026-38893

| CVE-2026-53025 HIGH
Use After Free (CWE-416)
2026-06-24 Linux GHSA-4c74-g9cq-vhc5
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local cdev access needed (AV:L, PR:L); deterministic open/disconnect/close sequence (AC:L); UAF can in principle reach full memory corruption, so C/I/A:H, though only DoS is demonstrated.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:52 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:29 cve.org
HIGH 7.8
CVE Published
Jun 24, 2026 - 16:29 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

greybus: raw: fix use-after-free on cdev close

This addresses a use-after-free bug when a raw bundle is disconnected but its chardev is still opened by an application. When the application releases the cdev, it causes the following panic when init on free is enabled (CONFIG_INIT_ON_FREE_DEFAULT_ON=y):

refcount_t: underflow; use-after-free. WARNING: CPU: 0 PID: 139 at lib/refcount.c:28 refcount_warn_saturate+0xd0/0x130 ... Call Trace: <TASK> cdev_put+0x18/0x30 __fput+0x255/0x2a0 __x64_sys_close+0x3d/0x80 do_syscall_64+0xa4/0x290 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The cdev is contained in the "gb_raw" structure, which is freed in the disconnect operation. When the cdev is released at a later time, cdev_put gets an address that points to freed memory.

To fix this use-after-free, convert the struct device from a pointer to being embedded, that makes the lifetime of the cdev and of this device the same. Then, use cdev_device_add, which guarantees that the device won't be released until all references to the cdev have been released. Finally, delegate the freeing of the structure to the device release function, instead of freeing immediately in the disconnect callback.

AnalysisAI

Use-after-free in the Linux kernel's greybus 'raw' driver (drivers/staging/greybus/raw.c) allows a local user holding an open character-device handle to trigger memory corruption when the underlying raw bundle is disconnected and the application later closes the cdev. The flaw stems from the gb_raw structure (which embeds the cdev) being freed in the disconnect callback while a userspace reference remains, causing cdev_put to operate on freed memory and a refcount underflow/panic, especially with CONFIG_INIT_ON_FREE_DEFAULT_ON=y. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local access to host
Delivery
Open greybus raw cdev handle
Exploit
Raw bundle disconnects, gb_raw freed
Execution
close() triggers cdev_put on freed memory
Persist
Kernel refcount underflow / use-after-free
Impact
DoS or memory corruption

Vulnerability AssessmentAI

Exploitation Requires local access to a system where the greybus 'raw' driver (CONFIG_GREYBUS_RAW) is built and loaded, and the attacker must be able to open the greybus raw character device (PR:L per CVSS - a local low-privileged but device-accessible user). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 7.8) indicates a local, low-complexity, low-privilege vector with high CIA impact - plausible since a UAF can in principle be steered toward disclosure or code execution, though the description only demonstrates a refcount underflow/panic (denial of service) and the intelligence tag is 'Information Disclosure'. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user with permission to open the greybus raw character device opens the /dev node, then arranges for (or waits for) the underlying raw bundle to be disconnected, which frees the backing gb_raw object. When the user subsequently closes the file descriptor, cdev_put dereferences freed memory, crashing the kernel or potentially being groomed for further memory corruption; no public exploit is known and the path requires local access with an open handle.
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - apply a kernel build that includes stable commits ef2d97c15b19b3489de01695bce478601e236c3e and 983cc2c7efbce04ecbf6328448d895044dd6ab31 (corresponding to stable lines reported as 7.0.10 and 7.1 in EUVD), available via https://git.kernel.org/stable/c/ef2d97c15b19b3489de01695bce478601e236c3e and https://git.kernel.org/stable/c/983cc2c7efbce04ecbf6328448d895044dd6ab31. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify systems running the greybus raw driver module in your environment. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38893 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy