SB2026062921 - Improper control of a resource through its lifetime in Linux kernel vfio pci driver



SB2026062921 - Improper control of a resource through its lifetime in Linux kernel vfio pci driver

Published: June 29, 2026

Security Bulletin ID SB2026062921
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Local access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-53322)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to access device BAR resources after device shutdown, potentially leading to disclosure of sensitive information, modification of data, or a denial of service.

The vulnerability exists due to improper resource shutdown sequencing in vfio_pci_core_close_device() when closing a device while DMABUF access remains active. A local user can keep accessing the device through DMABUF mappings during the shutdown window to access device BAR resources after device shutdown, potentially leading to disclosure of sensitive information, modification of data, or a denial of service.

The issue occurs in a small window after memory space enable is cleared and before DMABUF access is revoked, while the resources may be reassigned to a different driver.


Remediation

Install update from vendor's website.