-

CVE-2026-53047

efi/capsule-loader: fix incorrect sizeof in phys array reallocation

In the Linux kernel, the following vulnerability has been resolved:

efi/capsule-loader: fix incorrect sizeof in phys array reallocation

The krealloc() call for cap_info->phys in __efi_capsule_setup_info() uses
sizeof(phys_addr_t *) instead of sizeof(phys_addr_t), which might be
causing an undersized allocation.

The allocation is also inconsistent with the initial array allocation in
efi_capsule_open() that allocates one entry with sizeof(phys_addr_t),
and the efi_capsule_write() function that stores phys_addr_t values (not
pointers) via page_to_phys().

On 64-bit systems where sizeof(phys_addr_t) == sizeof(phys_addr_t *), this
goes unnoticed. On 32-bit systems with PAE where phys_addr_t is 64-bit but
pointers are 32-bit, this allocates half the required space, which might
lead to a heap buffer overflow when storing physical addresses.

This is similar to the bug fixed in commit fccfa646ef36 ("efi/capsule-loader:
fix incorrect allocation size") which fixed the same issue at the initial
allocation site.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version f24c4d478013d82bd1b943df566fff3561d52864
Version < 22022cd8851703a58f67615a17bc7e9e8682785b
Status affected
Version f24c4d478013d82bd1b943df566fff3561d52864
Version < 67adde6bfdfd563a54b045d59aeb9a2d90c80697
Status affected
Version f24c4d478013d82bd1b943df566fff3561d52864
Version < 608e1f7bc9d171ab26c1fba288c97fc76363c27d
Status affected
Version f24c4d478013d82bd1b943df566fff3561d52864
Version < 8be69e9245f805566bac68ffc8574b64735fd996
Status affected
Version f24c4d478013d82bd1b943df566fff3561d52864
Version < 5e185330d902b12fe8e6eb4b8514b5d736d8d66d
Status affected
Version f24c4d478013d82bd1b943df566fff3561d52864
Version < e0e6b14995fd6fa2c0df8c712d76ab32f0694c31
Status affected
Version f24c4d478013d82bd1b943df566fff3561d52864
Version < ab3f7098a3a27175b91cfc947950f5c26855801b
Status affected
Version f24c4d478013d82bd1b943df566fff3561d52864
Version < 48a428215782321b56956974f23593e40ce84b7a
Status affected
Version 95a362c9a6892085f714eb6e31eea6a0e3aa93bf
Status affected
Version 4.14.13
Version < 4.15
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version 4.15
Status affected
Version 0
Version < 4.15
Status unaffected
Version <= 5.10.*
Version 5.10.258
Status unaffected
Version <= 5.15.*
Version 5.15.209
Status unaffected
Version <= 6.1.*
Version 6.1.175
Status unaffected
Version <= 6.6.*
Version 6.6.141
Status unaffected
Version <= 6.12.*
Version 6.12.91
Status unaffected
Version <= 6.18.*
Version 6.18.33
Status unaffected
Version <= 7.0.*
Version 7.0.10
Status unaffected
Version <= *
Version 7.1
Status unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.2% 0.093
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://git.kernel.org/stable/c/22022cd8851703a58f67615a17bc7e9e8682785b
https://git.kernel.org/stable/c/67adde6bfdfd563a54b045d59aeb9a2d90c80697
https://git.kernel.org/stable/c/608e1f7bc9d171ab26c1fba288c97fc76363c27d
https://git.kernel.org/stable/c/8be69e9245f805566bac68ffc8574b64735fd996
https://git.kernel.org/stable/c/5e185330d902b12fe8e6eb4b8514b5d736d8d66d
https://git.kernel.org/stable/c/e0e6b14995fd6fa2c0df8c712d76ab32f0694c31
https://git.kernel.org/stable/c/ab3f7098a3a27175b91cfc947950f5c26855801b
https://git.kernel.org/stable/c/48a428215782321b56956974f23593e40ce84b7a