ipc: limit next_id allocation to the valid ID range

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

ipc: limit next_id allocation to the valid ID range

The checkpoint/restore sysctl path can request the next SysV IPC id
through ids->next_id. ipc_idr_alloc() currently forwards that request to
idr_alloc() with an open-ended upper bound.

If the valid tail of the SysV IPC id space is full, the allocation can
spill beyond ipc_mni. The returned SysV IPC id still uses the normal
index encoding, so later lookup and removal can target the wrong slot.
This leaves the real IDR entry behind and breaks the IDR state for the
object.

The bug is in ipc_idr_alloc() in the checkpoint/restore path.

1. ids->next_id is passed to:

idr_alloc(&ids->ipcs_idr, new, ipcid_to_idx(next_id), 0, ...)

2. The zero upper bound makes the allocation effectively open-ended.
Once the valid SysV IPC tail is occupied, idr_alloc() can spill past
ipc_mni and allocate an entry beyond the valid IPC id range.

3. The new object id is still encoded with the narrower SysV IPC index
width:

new->id = (new->seq << ipcmni_seq_shift()) + idx

4. Later removal goes through ipc_rmid(), which uses:

ipcid_to_idx(ipcp->id)

That truncates the real IDR index. An object actually stored at a
high index can then be removed as if it lived at a low in-range
index.

5. For shared memory, shm_destroy() frees the current object anyway, but
the real high IDR slot is left behind as a dangling pointer.

6. A subsequent walk of /proc/sysvipc/shm reaches the stale IDR entry
and dereferences freed memory.

Prevent this by bounding the requested allocation to ipc_mni so the
checkpoint/restore path fails once the valid range is exhausted.

Basic Information

ID CVE-2026-52923

Source Linux

Published Jun 24, 2026 at 07:14

Modified Jun 28, 2026 at 06:36

Affected Product

Vendor Linux

Product Linux

Version 03f595668017f1a1fb971c02fc37140bc6e7bb1c

Affected Versions Linux Linux 03f595668017f1a1fb971c02fc37140bc6e7bb1c
Linux Linux 03f595668017f1a1fb971c02fc37140bc6e7bb1c
Linux Linux 03f595668017f1a1fb971c02fc37140bc6e7bb1c
Linux Linux 03f595668017f1a1fb971c02fc37140bc6e7bb1c
Linux Linux 03f595668017f1a1fb971c02fc37140bc6e7bb1c
Linux Linux 03f595668017f1a1fb971c02fc37140bc6e7bb1c
Linux Linux 03f595668017f1a1fb971c02fc37140bc6e7bb1c
Linux Linux 03f595668017f1a1fb971c02fc37140bc6e7bb1c
Linux Linux 3.8

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipc: limit next_id allocation to the valid ID range\n\nThe checkpoint/restore sysctl path can request the next SysV IPC id\nthrough ids->next_id.  ipc_idr_alloc() currently forwards that request to\nidr_alloc() with an open-ended upper bound.\n\nIf the valid tail of the SysV IPC id space is full, the allocation can\nspill beyond ipc_mni.  The returned SysV IPC id still uses the normal\nindex encoding, so later lookup and removal can target the wrong slot. \nThis leaves the real IDR entry behind and breaks the IDR state for the\nobject.\n\nThe bug is in ipc_idr_alloc() in the checkpoint/restore path.\n\n1. ids->next_id is passed to:\n\n       idr_alloc(&ids->ipcs_idr, new, ipcid_to_idx(next_id), 0, ...)\n\n2. The zero upper bound makes the allocation effectively open-ended.\n   Once the valid SysV IPC tail is occupied, idr_alloc() can spill past\n   ipc_mni and allocate an entry beyond the valid IPC id range.\n\n3. The new object id is still encoded with the narrower SysV IPC index\n   width:\n\n       new->id = (new->seq << ipcmni_seq_shift()) + idx\n\n4. Later removal goes through ipc_rmid(), which uses:\n\n       ipcid_to_idx(ipcp->id)\n\n   That truncates the real IDR index. An object actually stored at a\n   high index can then be removed as if it lived at a low in-range\n   index.\n\n5. For shared memory, shm_destroy() frees the current object anyway, but\n   the real high IDR slot is left behind as a dangling pointer.\n\n6. A subsequent walk of /proc/sysvipc/shm reaches the stale IDR entry\n   and dereferences freed memory.\n\nPrevent this by bounding the requested allocation to ipc_mni so the\ncheckpoint/restore path fails once the valid range is exhausted.",
    "published": "2026-06-24T07:14:17.849Z",
    "modified": "2026-06-28T06:36:45.317Z",
    "type": "cve",
    "title": "ipc: limit next_id allocation to the valid ID range",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/3bbe2bb9111ce6967a951bfac79af142d816fae5\nhttps://git.kernel.org/stable/c/8c58a92849175f5e2ab7bc2734b3b89afe79f6ef\nhttps://git.kernel.org/stable/c/af24e202b543ded8a34f1d5d3db54eb916173f04\nhttps://git.kernel.org/stable/c/157ce2c6836ce0ff19108a819f38df061345425f\nhttps://git.kernel.org/stable/c/41058d4c3f63ab64901560a704882e0565f4e456\nhttps://git.kernel.org/stable/c/a3cc795129e5ec0f8948653a3bf471e7d8852f5e\nhttps://git.kernel.org/stable/c/bd4be70669af55b974860d13680348cfdf50bbed\nhttps://git.kernel.org/stable/c/fa0b9b2b7ae3539908d69c2b9ac0d144d9bc5139",
    "id": "CVE-2026-52923",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 03f595668017f1a1fb971c02fc37140bc6e7bb1c\nLinux Linux 03f595668017f1a1fb971c02fc37140bc6e7bb1c\nLinux Linux 03f595668017f1a1fb971c02fc37140bc6e7bb1c\nLinux Linux 03f595668017f1a1fb971c02fc37140bc6e7bb1c\nLinux Linux 03f595668017f1a1fb971c02fc37140bc6e7bb1c\nLinux Linux 03f595668017f1a1fb971c02fc37140bc6e7bb1c\nLinux Linux 03f595668017f1a1fb971c02fc37140bc6e7bb1c\nLinux Linux 03f595668017f1a1fb971c02fc37140bc6e7bb1c\nLinux Linux 3.8",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "03f595668017f1a1fb971c02fc37140bc6e7bb1c",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

ipc: limit next_id allocation to the valid ID range_CVE-2026-52923

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply