SB2026062921 - Improper control of a resource through its lifetime in Linux kernel vfio pci driver
Published: June 29, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-53322)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to access device BAR resources after device shutdown, potentially leading to disclosure of sensitive information, modification of data, or a denial of service.
The vulnerability exists due to improper resource shutdown sequencing in vfio_pci_core_close_device() when closing a device while DMABUF access remains active. A local user can keep accessing the device through DMABUF mappings during the shutdown window to access device BAR resources after device shutdown, potentially leading to disclosure of sensitive information, modification of data, or a denial of service.
The issue occurs in a small window after memory space enable is cleared and before DMABUF access is revoked, while the resources may be reassigned to a different driver.
Remediation
Install update from vendor's website.