Skip to main content

Linux Kernel EUVDEUVD-2026-39257

| CVE-2026-53166 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-5f39-wjpq-xrrj
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local unprivileged syscall trigger (AV:L, PR:L), no UI needed, purely a kernel crash with no confidentiality or integrity impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 07, 2026 - 18:24 vuln.today
CVSS changed
Jul 07, 2026 - 18:22 NVD
5.5 (MEDIUM)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 nvd
MEDIUM 5.5
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock

When FUTEX_CMP_REQUEUE_PI requeues a non-top waiter that already owns the target PI futex, task_blocks_on_rt_mutex() returns -EDEADLK before setting waiter->task.

The subsequent remove_waiter() in rt_mutex_start_proxy_lock() dereferences the NULL waiter->task, causing a kernel crash.

Add a self-deadlock check for non-top waiters before calling rt_mutex_start_proxy_lock(), analogous to the top-waiter check in futex_lock_pi_atomic().

AnalysisAI

NULL pointer dereference in the Linux kernel's futex PI requeue path allows a local low-privileged user to crash the kernel. Triggered via FUTEX_CMP_REQUEUE_PI when a non-top waiter already owns the target PI futex, the deadlock detection path returns -EDEADLK before initializing waiter->task, which remove_waiter() then dereferences unconditionally. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local unprivileged shell
Delivery
Write program issuing FUTEX_CMP_REQUEUE_PI with self-owned target PI futex
Exploit
task_blocks_on_rt_mutex() returns -EDEADLK without setting waiter->task
Execution
remove_waiter() dereferences NULL waiter->task
Impact
Kernel panic crashes the host

Vulnerability AssessmentAI

Exploitation Exploitation requires a local account with at least low-privilege access (PR:L) capable of executing the futex(2) syscall. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) correctly characterizes this as a local denial-of-service requiring low-privilege access with no user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local unprivileged user on a shared Linux system (container host, cloud VM, multi-tenant server) writes a small program that allocates two futex addresses, acquires a PI futex on one, then issues FUTEX_CMP_REQUEUE_PI targeting the same futex it already owns - constructing a deliberate self-deadlock for a non-top waiter. This triggers the unguarded remove_waiter() code path, causing a NULL pointer dereference and immediate kernel panic that crashes the entire host.
Remediation Upstream fix available via three stable-tree commits: 16f8e17184b31382076f84751db5ac51fc02733e, 1f2f3f3eacd6653ab215c5d2ea70811148d433fc, and 74e144274af39935b0f410c0ee4d2b91c3730414, all referenced at https://git.kernel.org/stable/. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39257 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy