Improper control of a resource through its lifetime in Linux kernel - CVE-2026-53322

 

Improper control of a resource through its lifetime in Linux kernel - CVE-2026-53322

Published: June 29, 2026


Vulnerability identifier: #VU135711
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-53322
CWE-ID: CWE-664
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel

Detailed vulnerability description

The vulnerability allows a local user to access device BAR resources after device shutdown, potentially leading to disclosure of sensitive information, modification of data, or a denial of service.

The vulnerability exists due to improper resource shutdown sequencing in vfio_pci_core_close_device() when closing a device while DMABUF access remains active. A local user can keep accessing the device through DMABUF mappings during the shutdown window to access device BAR resources after device shutdown, potentially leading to disclosure of sensitive information, modification of data, or a denial of service.

The issue occurs in a small window after memory space enable is cleared and before DMABUF access is revoked, while the resources may be reassigned to a different driver.


How to mitigate CVE-2026-53322

Install security update from vendor's repository.

Sources