Skip to main content

Linux Kernel EUVDEUVD-2026-39902

| CVE-2026-53297 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-06-26 Linux GHSA-43rv-4q7x-r3cg
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

AC:H applied because exploitation requires a non-attacker-controlled PM resume failure precondition; all other metrics align with the provided vector.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 04:35 vuln.today
CVSS changed
Jul 08, 2026 - 04:07 NVD
5.5 (MEDIUM)
Patch available
Jun 26, 2026 - 21:02 EUVD
CVE Published
Jun 26, 2026 - 19:40 nvd
MEDIUM 5.5
CVE Published
Jun 26, 2026 - 19:40 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net: mana: Guard mana_remove against double invocation

If PM resume fails (e.g., mana_attach() returns an error), mana_probe() calls mana_remove(), which tears down the device and sets gd->gdma_context = NULL and gd->driver_data = NULL.

However, a failed resume callback does not automatically unbind the driver. When the device is eventually unbound, mana_remove() is invoked a second time. Without a NULL check, it dereferences gc->dev with gc == NULL, causing a kernel panic.

Add an early return if gdma_context or driver_data is NULL so the second invocation is harmless. Move the dev = gc->dev assignment after the guard so it cannot dereference NULL.

AnalysisAI

Kernel panic via NULL pointer dereference in the Linux kernel MANA (Microsoft Azure Network Adapter) driver allows a local low-privileged user to crash the host when a power management resume failure leaves the driver in a torn-down state. The mana_remove() function is invoked twice - first during a failed mana_probe() recovery path that nullifies gdma_context and driver_data, and again when the driver is subsequently unbound - dereferencing a NULL gc pointer. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local shell access to Azure Linux VM
Delivery
Induce or await PM resume failure (mana_attach error)
Exploit
mana_probe() calls mana_remove(), nullifying gdma_context
Execution
Trigger MANA device unbind (driver reload or VM operation)
Persist
Second mana_remove() dereferences NULL gc pointer
Impact
Kernel panic causes VM reboot

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following: (1) the target system must be a Linux VM running on Microsoft Azure using the MANA virtual NIC driver (not present on physical hardware or non-Azure hypervisors); (2) a power management resume failure must occur - specifically, mana_attach() must return an error during PM resume - which sets gdma_context to NULL via the mana_probe() error path; (3) after this failure, the MANA driver must be unbound (e.g., via driver reload, device hotplug removal, or VM lifecycle operations) to trigger the second mana_remove() invocation; (4) local access with at least low-privilege credentials (PR:L per CVSS) is required to be present on the system, though the PM failure itself may be environmental rather than attacker-triggered. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate-to-low despite a CVSS availability impact of High. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user on an Azure Linux VM with the MANA virtual NIC encounters (or induces) a PM resume failure - for example, by triggering a suspend/resume cycle during a transient network configuration error that causes mana_attach() to return an error. The kernel's mana_probe() error path then calls mana_remove(), nullifying gdma_context. …
Remediation Upgrade to Linux kernel 6.18.33, 7.0.10, or 7.1 where the NULL guard in mana_remove() has been applied; patch commits are confirmed at the three kernel.org stable links in the references. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39902 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy