Skip to main content

Linux Kernel EUVDEUVD-2026-39253

| CVE-2026-53162 HIGH
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-9mhf-2p25-mwm3
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
3.6 LOW

Local-only (AV:L) non-deterministic NMI/entropy race gives AC:H; some local foothold assumed (PR:L); realistic impact is weakened randomness (C:L) and possible instability (A:L), not full triad.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:L
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:18 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

memcg: use round-robin victim selection in refill_stock

Harry Yoo reported that get_random_u32_below() is not safe to call in the nmi context and memcg charge draining can happen in nmi context.

More specifically get_random_u32_below() is neither reentrant- nor NMI-safe: it acquires a per-cpu local_lock via local_lock_irqsave() on the batched_entropy_u32 state. An NMI that lands on a CPU mid-update of the ChaCha batch state and recurses into the random subsystem would corrupt that state. The memcg_stock local_trylock prevents re-entry on the percpu stock itself, but cannot protect an unrelated subsystem's per-cpu lock.

Replace the random pick with a per-cpu round-robin counter stored in memcg_stock_pcp and serialized by the same local_trylock that already guards cached[] and nr_pages[]. No atomics, no random calls, no extra locks needed.

AnalysisAI

Local privilege/availability weakness in the Linux kernel memory cgroup (memcg) subsystem stems from refill_stock() calling get_random_u32_below() for victim selection, a routine that is neither reentrant- nor NMI-safe. Because memcg charge draining can occur in NMI context, an NMI landing mid-update of the per-CPU batched_entropy_u32 ChaCha state could corrupt the random subsystem's per-CPU local_lock state. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local execution on affected kernel
Delivery
Induce heavy memcg charge-drain activity
Exploit
NMI fires during entropy batch update
Execution
Recurse into random subsystem
Persist
Corrupt per-CPU ChaCha state
Impact
Kernel instability or weakened RNG

Vulnerability AssessmentAI

Exploitation Triggering requires three concurrent conditions on the same CPU: (1) the Linux kernel must perform memcg (cgroup memory) charge draining in NMI context, (2) that NMI must land precisely while the batched_entropy_u32 ChaCha state is mid-update under its local_lock, and (3) the NMI handler path must recurse into the random subsystem (get_random_u32_below). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD/kernel CVSS of 7.8 (AV:L/AC:L/PR:L/UI:N/C:H/I:H/A:H) appears to be an automated, conservative worst-case rating that overstates real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a multi-tenant or container host under heavy memory pressure, frequent NMIs (e.g., perf sampling or hardware events) coincide with memcg charge draining; an NMI fires while a CPU is mid-update of its batched ChaCha entropy state and recurses into the random subsystem, corrupting that per-CPU state. The realistic outcome is non-deterministic kernel instability or weakened per-CPU randomness rather than reliable attacker-controlled code execution. …
Remediation Vendor-released patch: update to Linux kernel 7.0.13, 6.18.36, or 7.1 (or later) via your distribution's kernel update channel, which carries the upstream commits that replace get_random_u32_below() with a per-CPU round-robin counter (stable trees: https://git.kernel.org/stable/c/89bd8215e25aa6999cc51696da418e0d422bc5e0 and the related commits). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Linux systems and identify current kernel versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39253 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy