Skip to main content

Linux Kernel EUVDEUVD-2026-39857

| CVE-2026-53322 HIGH
Premature Release of Resource During Expected Lifetime (CWE-826)
2026-06-26 Linux GHSA-rj34-crxv-j5mg
8.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local VFIO device access needed (AV:L/PR:L); a 'tiny window' shutdown race makes it AC:H; resources pass to another driver so S:C, with high info-leak and corruption impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:55 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
8.8 (HIGH)
Patch available
Jun 26, 2026 - 21:02 EUVD
CVE Published
Jun 26, 2026 - 19:41 cve.org
HIGH 8.8
CVE Published
Jun 26, 2026 - 19:41 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

vfio/pci: Clean up DMABUFs before disabling function

On device shutdown, make vfio_pci_core_close_device() call vfio_pci_dma_buf_cleanup() before the function is disabled via vfio_pci_core_disable(). This ensures that all access via DMABUFs is revoked before the function's BARs become inaccessible.

This fixes an issue where, if the function is disabled first, a tiny window exists in which the function's MSE is cleared and yet BARs could still be accessed via the DMABUF. The resources would also be freed and up for grabs by a different driver.

AnalysisAI

Resource access-after-free in the Linux kernel's vfio/pci subsystem allows a local user with device access to read or corrupt PCI device resources during a race window on device shutdown, because vfio_pci_core_close_device() disabled the function before tearing down DMABUF exports. During the window the function's Memory Space Enable bit is cleared and its BARs (and their backing resources) are freed and reassignable to another driver, while stale DMABUF mappings still reference them. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local VFIO device access
Delivery
Export device BARs as DMABUF
Exploit
Trigger device close/disable
Execution
Race the post-disable window
Persist
Access freed/reassigned resources
Impact
Leak or corrupt device memory

Vulnerability AssessmentAI

Exploitation Requires local access to a system where the attacker can bind/use a VFIO PCI device and create DMABUF exports of its BARs - i.e. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and lean toward low practical priority despite the 8.8 base score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user (or a guest/userspace driver) that legitimately holds a VFIO PCI device repeatedly triggers device close/shutdown while holding or re-mapping DMABUF references to the device's BARs, racing to access the memory in the tiny window after the function is disabled and its resources are freed. Winning the race lets the attacker read or write resources that have been released and potentially reassigned to another driver, causing information disclosure or host-side resource corruption. …
Remediation Patch available per vendor advisory: upgrade to a Linux kernel containing the fix commits 4f1000a30f67cf7d328059242776a858611d5ef9 and d97708701434ce72968e771976aaf9d3438fcafd (merged in the 6.19 cycle and backported to stable trees), which reorder vfio_pci_core_close_device() to call vfio_pci_dma_buf_cleanup() before vfio_pci_core_disable(); a released, tagged stable version number is not independently confirmed from the input, so apply your distribution's kernel update that references this CVE. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running vulnerable Linux kernel versions with vfio/pci functionality and PCI device passthrough capability. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39857 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy