Skip to main content

Linux Kernel EUVDEUVD-2026-39899

| CVE-2026-53294 HIGH
Double Free (CWE-415)
2026-06-26 Linux GHSA-grhq-rqc2-rhjr
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
5.7 MEDIUM

Triggering needs privileged debugfs access (PR:H) and a specific RX-aliases-TX configuration (AC:H); impact is kernel memory corruption enabling code execution and DoS, with no direct confidentiality disclosure (C:N).

3.1 AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 04:11 vuln.today
CVSS changed
Jul 08, 2026 - 04:07 NVD
7.8 (HIGH)
Patch available
Jun 26, 2026 - 21:02 EUVD
CVE Published
Jun 26, 2026 - 19:40 nvd
HIGH 7.8
CVE Published
Jun 26, 2026 - 19:40 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

mailbox: mailbox-test: don't free the reused channel

The RX channel can be aliased to the TX channel if it has a different MMIO. This special case needs to be handled when freeing the channels otherwise a double-free occurs.

AnalysisAI

Local privilege escalation potential in the Linux kernel's mailbox-test driver arises from a double-free when the RX channel is aliased to the TX channel (a valid configuration when they use different MMIO regions); the cleanup path frees the reused channel twice. Affecting the mailbox subsystem's test/debug driver across a wide range of stable branches (5.10 through 7.x), the flaw carries a 7.8 CVSS with an AV:L/PR:L vector and has an upstream fix, but EPSS is only 0.18% and there is no public exploit identified at time of analysis.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local access to target host
Delivery
Interact with mailbox-test debugfs on aliased RX/TX channel
Exploit
Trigger double-free in channel release
Execution
Corrupt kernel slab metadata
Persist
Groom heap into use-after-free
Impact
Escalate privileges or crash kernel

Vulnerability AssessmentAI

Exploitation Exploitation requires that the mailbox-test driver (CONFIG_MAILBOX_TEST) be built and loaded, that the underlying platform configuration cause the RX mailbox channel to be aliased to the TX channel (the special case where they share a channel but have different MMIO), and local privileged access to drive the driver's debugfs interface that invokes the channel-free path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and lean toward lower real-world urgency than the 7.8 base score suggests. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a system where the mailbox-test module is loaded and the platform aliases the RX channel to the TX channel, a local attacker with sufficient privilege to interact with the driver's debugfs interface triggers the channel-release path, causing the same mailbox channel to be freed twice and corrupting kernel slab metadata. With careful heap grooming this double-free can be developed into a use-after-free for privilege escalation or used to crash the kernel (DoS). …
Remediation Vendor-released patch: update to a fixed stable kernel - 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1 (whichever matches your series), or apply your distribution's backport of the upstream fix once available. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory systems running Linux kernels 5.10-7.x (particularly development/test infrastructure); confirm whether mailbox-test driver is loaded. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39899 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy