greybus: raw: fix use-after-free on cdev close_CVE-2026-53025

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

greybus: raw: fix use-after-free on cdev close

This addresses a use-after-free bug when a raw bundle is disconnected
but its chardev is still opened by an application. When the application
releases the cdev, it causes the following panic when init on free is
enabled (CONFIG_INIT_ON_FREE_DEFAULT_ON=y):

refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 139 at lib/refcount.c:28 refcount_warn_saturate+0xd0/0x130
...
Call Trace:
<TASK>
cdev_put+0x18/0x30
__fput+0x255/0x2a0
__x64_sys_close+0x3d/0x80
do_syscall_64+0xa4/0x290
entry_SYSCALL_64_after_hwframe+0x77/0x7f

The cdev is contained in the "gb_raw" structure, which is freed in the
disconnect operation. When the cdev is released at a later time,
cdev_put gets an address that points to freed memory.

To fix this use-after-free, convert the struct device from a pointer to
being embedded, that makes the lifetime of the cdev and of this device
the same. Then, use cdev_device_add, which guarantees that the device
won't be released until all references to the cdev have been released.
Finally, delegate the freeing of the structure to the device release
function, instead of freeing immediately in the disconnect callback.

Basic Information

ID CVE-2026-53025

Source Linux

Published Jun 24, 2026 at 16:29

Modified Jun 28, 2026 at 06:38

Affected Product

Vendor Linux

Product Linux

Version e806c7fb8e9bae87fc23958c3789f2c2f96f54a4

Affected Versions Linux Linux e806c7fb8e9bae87fc23958c3789f2c2f96f54a4
Linux Linux e806c7fb8e9bae87fc23958c3789f2c2f96f54a4
Linux Linux 4.9

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngreybus: raw: fix use-after-free on cdev close\n\nThis addresses a use-after-free bug when a raw bundle is disconnected\nbut its chardev is still opened by an application. When the application\nreleases the cdev, it causes the following panic when init on free is\nenabled (CONFIG_INIT_ON_FREE_DEFAULT_ON=y):\n\n        refcount_t: underflow; use-after-free.\n        WARNING: CPU: 0 PID: 139 at lib/refcount.c:28 refcount_warn_saturate+0xd0/0x130\n         ...\n        Call Trace:\n         <TASK>\n         cdev_put+0x18/0x30\n         __fput+0x255/0x2a0\n         __x64_sys_close+0x3d/0x80\n         do_syscall_64+0xa4/0x290\n         entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe cdev is contained in the \"gb_raw\" structure, which is freed in the\ndisconnect operation. When the cdev is released at a later time,\ncdev_put gets an address that points to freed memory.\n\nTo fix this use-after-free, convert the struct device from a pointer to\nbeing embedded, that makes the lifetime of the cdev and of this device\nthe same. Then, use cdev_device_add, which guarantees that the device\nwon't be released until all references to the cdev have been released.\nFinally, delegate the freeing of the structure to the device release\nfunction, instead of freeing immediately in the disconnect callback.",
    "published": "2026-06-24T16:29:33.971Z",
    "modified": "2026-06-28T06:38:09.244Z",
    "type": "cve",
    "title": "greybus: raw: fix use-after-free on cdev close",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/ef2d97c15b19b3489de01695bce478601e236c3e\nhttps://git.kernel.org/stable/c/983cc2c7efbce04ecbf6328448d895044dd6ab31",
    "id": "CVE-2026-53025",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux e806c7fb8e9bae87fc23958c3789f2c2f96f54a4\nLinux Linux e806c7fb8e9bae87fc23958c3789f2c2f96f54a4\nLinux Linux 4.9",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "e806c7fb8e9bae87fc23958c3789f2c2f96f54a4",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply