Skip to main content

Linux Kernel EUVDEUVD-2026-39280

| CVE-2026-53189 HIGH
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-g27r-592c-r436
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
5.8 MEDIUM

Local low-priv trigger (AV:L/PR:L); a small race window justifies AC:H; primary impact is kernel-memory read (C:H) with limited integrity/availability effect from freed-folio reuse (I:L/A:L).

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:27 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

mm/huge_memory: update file PMD counter before folio_put()

__split_huge_pmd_locked() updates the file/shmem RSS counter after dropping the PMD mapping's folio reference. If folio_put() drops the last reference, mm_counter_file() can later read freed folio state via folio_test_swapbacked().

Move the counter update before folio_put().

AnalysisAI

Use-after-free in the Linux kernel's transparent huge page code (mm/huge_memory) lets a local low-privileged process read freed folio state when __split_huge_pmd_locked() updates the file/shmem RSS counter only after dropping the PMD mapping's folio reference. On affected kernels (introduced around the 4.19 era through to fixes in 6.x/7.x stable trees), a final folio_put() can free the folio before mm_counter_file() inspects it via folio_test_swapbacked(), enabling reads of freed kernel memory. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local low-priv code execution
Delivery
Map file/shmem-backed huge pages
Exploit
Trigger repeated PMD split under memory pressure
Execution
Win folio_put()/counter race window
Persist
Reallocate freed folio via heap grooming
Impact
Read freed kernel memory or corrupt RSS state

Vulnerability AssessmentAI

Exploitation Exploitation requires local code execution on the host (CVSS AV:L) with at least low privileges (PR:L) - no remote vector and no user interaction. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 7.8) marks this as a high-severity local issue requiring only low privileges, but several signals temper real-world urgency: EPSS is 0.18% (8th percentile), there is no CISA KEV listing, and no public PoC is referenced. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker with an unprivileged shell or code execution inside a container repeatedly triggers splitting of file/shmem huge-page mappings (e.g., via mmap of huge-page-backed files plus madvise/munmap under memory pressure) to hit the narrow window where folio_put() frees the folio before the RSS counter is read. By grooming the kernel heap to reallocate that freed folio, the attacker reads leaked kernel memory or corrupts page accounting, potentially advancing toward privilege escalation. …
Remediation Vendor-released patch: upgrade to a fixed stable kernel - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or mainline 7.1 (or your distribution's equivalent backport). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit Linux kernel versions across all systems to identify those running 4.19-era through early 6.x/7.x. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39280 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy