7.8

CVE-2026-53185

zram: fix use-after-free in zram_bvec_write_partial()

In the Linux kernel, the following vulnerability has been resolved:

zram: fix use-after-free in zram_bvec_write_partial()

zram_read_page() picks the sync or async backing device read path based on
whether the parent bio is NULL.  zram_bvec_write_partial() passes its
parent bio down, so for ZRAM_WB slots the read is dispatched
asynchronously and zram_read_page() returns 0 while the bio is still in
flight.  The caller then runs memcpy_from_bvec(), zram_write_page() and
__free_page() on the buffer, leaving the async read to write into a freed
page.

zram_bvec_read_partial() was switched to NULL in commit 4e3c87b9421d
("zram: fix synchronous reads") for the same reason; the write_partial
counterpart was missed.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 4.14 < 6.6.143
LinuxLinux Kernel Version >= 6.7 < 6.12.94
LinuxLinux Kernel Version >= 6.13 < 6.18.36
LinuxLinux Kernel Version >= 6.19 < 7.0.13
LinuxLinux Kernel Version7.1 Updaterc1
LinuxLinux Kernel Version7.1 Updaterc2
LinuxLinux Kernel Version7.1 Updaterc3
LinuxLinux Kernel Version7.1 Updaterc4
LinuxLinux Kernel Version7.1 Updaterc5
LinuxLinux Kernel Version7.1 Updaterc6
LinuxLinux Kernel Version7.1 Updaterc7
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.1% 0.012
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 7 1 5.9
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-364 Signal Handler Race Condition

The product uses a signal handler that introduces a race condition.

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/0c2821665ff71be3f4b07ecece384669f2877f6a
Patch
https://git.kernel.org/stable/c/77a602b505ce4802915853cfc435a4722fab3e64
Patch
https://git.kernel.org/stable/c/c96786d6ff1acc1d54d9241e97767554c1dfdd5b
Patch
https://git.kernel.org/stable/c/198b5a14cca27263b9c14b20114c8092de15dfcb
Patch
https://git.kernel.org/stable/c/732fd9f0b9c1cdc6dfd77162ded60df005182cc0
Patch
https://access.redhat.com/security/cve/CVE-2026-53185
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2492735
Third Party Advisory
Issue Tracking
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53185.json
Third Party Advisory