misc: fastrpc: fix use-after-free race in fastrpc_map_create_CVE-2026-53160

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

misc: fastrpc: fix use-after-free race in fastrpc_map_create

fastrpc_map_lookup returns a raw pointer after releasing fl->lock. The
caller fastrpc_map_create then calls fastrpc_map_get (kref_get_unless_zero)
on this unprotected pointer. A concurrent MEM_UNMAP can free the map
between the lock release and the kref operation, resulting in a
use-after-free on the freed slab object.

Restore the take_ref parameter to fastrpc_map_lookup so the reference
is acquired atomically under fl->lock before the pointer is exposed to
the caller.

Basic Information

ID CVE-2026-53160

Source Linux

Published Jun 25, 2026 at 08:38

Modified Jun 28, 2026 at 06:39

Affected Product

Vendor Linux

Product Linux

Version 0b70ec82b309a4093106ff399da1911ad23b52d3

Affected Versions Linux Linux 0b70ec82b309a4093106ff399da1911ad23b52d3
Linux Linux d7513b47082c08105e837b06cebeb3f07a5fa56f
Linux Linux 802359a52676176b18713e33caa17572ad009057
Linux Linux 10df039834f84a297c72ec962c0f9b7c8c5ca31a
Linux Linux 10df039834f84a297c72ec962c0f9b7c8c5ca31a
Linux Linux 10df039834f84a297c72ec962c0f9b7c8c5ca31a
Linux Linux f3f59bab68e9bc714f757ab22f3fb36153014043
Linux Linux 6.1.156
Linux Linux 6.6.112
Linux Linux 6.12.53
Linux Linux 6.17.3
Linux Linux 6.18

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: fix use-after-free race in fastrpc_map_create\n\nfastrpc_map_lookup returns a raw pointer after releasing fl->lock. The\ncaller fastrpc_map_create then calls fastrpc_map_get (kref_get_unless_zero)\non this unprotected pointer. A concurrent MEM_UNMAP can free the map\nbetween the lock release and the kref operation, resulting in a\nuse-after-free on the freed slab object.\n\nRestore the take_ref parameter to fastrpc_map_lookup so the reference\nis acquired atomically under fl->lock before the pointer is exposed to\nthe caller.",
    "published": "2026-06-25T08:38:42.138Z",
    "modified": "2026-06-28T06:39:36.143Z",
    "type": "cve",
    "title": "misc: fastrpc: fix use-after-free race in fastrpc_map_create",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/0a3b87293fbd34fda651e6aead9964f84b893962\nhttps://git.kernel.org/stable/c/8b080c89183196fd3e49212f2a1a1c4a29335b9c\nhttps://git.kernel.org/stable/c/5b0166112019d1dce30b976ab28fd67f7f0be532\nhttps://git.kernel.org/stable/c/992f121796b7ca83a5a8b93da24e971363206218\nhttps://git.kernel.org/stable/c/f20f6512ecb75c816e0debf4551a138f098615c4\nhttps://git.kernel.org/stable/c/07ebe87915d8accdaba20c4f88c5ae430fe62fbb",
    "id": "CVE-2026-53160",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 0b70ec82b309a4093106ff399da1911ad23b52d3\nLinux Linux d7513b47082c08105e837b06cebeb3f07a5fa56f\nLinux Linux 802359a52676176b18713e33caa17572ad009057\nLinux Linux 10df039834f84a297c72ec962c0f9b7c8c5ca31a\nLinux Linux 10df039834f84a297c72ec962c0f9b7c8c5ca31a\nLinux Linux 10df039834f84a297c72ec962c0f9b7c8c5ca31a\nLinux Linux f3f59bab68e9bc714f757ab22f3fb36153014043\nLinux Linux 6.1.156\nLinux Linux 6.6.112\nLinux Linux 6.12.53\nLinux Linux 6.17.3\nLinux Linux 6.18",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "0b70ec82b309a4093106ff399da1911ad23b52d3",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply