Skip to main content

Linux Kernel EUVDEUVD-2026-39256

| CVE-2026-53165 HIGH
NULL Pointer Dereference (CWE-476)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-f5cm-4mmf-92c9
7.5
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

Trigger is a local cross-CPU race needing file read access plus a concurrent truncate, so AV:L/AC:H/PR:L; impact is a kernel crash only, hence C:N/I:N/A:H.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:18 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.5 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

iomap: avoid potential null folio->mapping deref during error reporting

When a buffered read fails, iomap_finish_folio_read() reports the error with fserror_report_io(folio->mapping->host, ...). This is called after ifs->read_bytes_pending has been decremented by the bytes attempted to be read.

For a folio split across multiple read completions, the folio is only guaranteed to stay locked while read_bytes_pending > 0. Once iomap_finish_folio_read() decrements read_bytes_pending, another in-flight read can complete and end the read on the folio, which unlocks it. This allows truncate logic to run and detach the folio (set folio->mapping to NULL). The error reporting path then can dereference a NULL folio->mapping. As reported by Sam Sun, this is the race that can occur:

CPU0: failed completion CPU1: final completion CPU2: truncate ----------------------- ---------------------- -------------- read_bytes_pending -= len finished = false /* preempted before fserror_report_io() */ read_bytes_pending -= len finished = true folio_end_read() truncate clears folio->mapping fserror_report_io( folio->mapping->host, ...) ^ NULL deref

Fix this by reporting the error first before decrementing ifs->read_bytes_pending.

AnalysisAI

Denial of service in the Linux kernel's iomap buffered I/O layer allows a NULL pointer dereference (kernel oops/panic) when a buffered read fails on a folio split across multiple read completions. Because iomap_finish_folio_read() decremented read_bytes_pending before calling fserror_report_io(), a concurrent final read completion plus a truncate could detach the folio (folio->mapping = NULL) before the error path dereferenced it. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local file read access
Delivery
Issue buffered reads triggering I/O error
Exploit
Race concurrent truncate on same folio
Execution
Error path derefs NULL folio->mapping
Impact
Kernel panic / DoS

Vulnerability AssessmentAI

Exploitation Exploitation requires local filesystem activity against a filesystem using the iomap buffered read path (such as XFS): a buffered read that actually fails (an underlying storage/I/O read error), a folio large enough to be split across multiple concurrent read completions, and a concurrently-running truncate on the same file to detach folio->mapping during the narrow window after read_bytes_pending is decremented. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are consistent and point to a moderate, availability-only issue rather than a top-tier priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user repeatedly issues buffered reads against a file backed by an iomap filesystem while inducing read I/O errors (e.g., from a flaky or fault-injected block device) and simultaneously truncating the file. With the right timing across CPUs, the failed-read completion path dereferences a folio whose mapping was just cleared by truncate, panicking the kernel and crashing the host. …
Remediation Upgrade to a fixed stable kernel: per EUVD the fix lands in the 7.0.13 and 7.1 lines, corresponding to upstream commits 1ad453817a4077230d1ba88eb0868f05f824449a and 2eea7f44b9c8b42fd7d3a1a87c06a7cd1b99c327 (https://git.kernel.org/stable/c/1ad453817a4077230d1ba88eb0868f05f824449a). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify systems running vulnerable Linux kernel versions, prioritizing production servers handling critical workloads. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39256 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy