Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local unprivileged syscall trigger (AV:L, PR:L), no UI needed, purely a kernel crash with no confidentiality or integrity impact.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock
When FUTEX_CMP_REQUEUE_PI requeues a non-top waiter that already owns the target PI futex, task_blocks_on_rt_mutex() returns -EDEADLK before setting waiter->task.
The subsequent remove_waiter() in rt_mutex_start_proxy_lock() dereferences the NULL waiter->task, causing a kernel crash.
Add a self-deadlock check for non-top waiters before calling rt_mutex_start_proxy_lock(), analogous to the top-waiter check in futex_lock_pi_atomic().
AnalysisAI
NULL pointer dereference in the Linux kernel's futex PI requeue path allows a local low-privileged user to crash the kernel. Triggered via FUTEX_CMP_REQUEUE_PI when a non-top waiter already owns the target PI futex, the deadlock detection path returns -EDEADLK before initializing waiter->task, which remove_waiter() then dereferences unconditionally. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a local account with at least low-privilege access (PR:L) capable of executing the futex(2) syscall. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) correctly characterizes this as a local denial-of-service requiring low-privilege access with no user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local unprivileged user on a shared Linux system (container host, cloud VM, multi-tenant server) writes a small program that allocates two futex addresses, acquires a PI futex on one, then issues FUTEX_CMP_REQUEUE_PI targeting the same futex it already owns - constructing a deliberate self-deadlock for a non-top waiter. This triggers the unguarded remove_waiter() code path, causing a NULL pointer dereference and immediate kernel panic that crashes the entire host. |
| Remediation | Upstream fix available via three stable-tree commits: 16f8e17184b31382076f84751db5ac51fc02733e, 1f2f3f3eacd6653ab215c5d2ea70811148d433fc, and 74e144274af39935b0f410c0ee4d2b91c3730414, all referenced at https://git.kernel.org/stable/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39257
GHSA-5f39-wjpq-xrrj