7.8
CVE-2026-53185
- EPSS 0.1%
- Veröffentlicht 25.06.2026 08:38:58
- Zuletzt bearbeitet 06.07.2026 12:41:41
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
zram: fix use-after-free in zram_bvec_write_partial()
In the Linux kernel, the following vulnerability has been resolved:
zram: fix use-after-free in zram_bvec_write_partial()
zram_read_page() picks the sync or async backing device read path based on
whether the parent bio is NULL. zram_bvec_write_partial() passes its
parent bio down, so for ZRAM_WB slots the read is dispatched
asynchronously and zram_read_page() returns 0 while the bio is still in
flight. The caller then runs memcpy_from_bvec(), zram_write_page() and
__free_page() on the buffer, leaving the async read to write into a freed
page.
zram_bvec_read_partial() was switched to NULL in commit 4e3c87b9421d
("zram: fix synchronous reads") for the same reason; the write_partial
counterpart was missed.Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 4.14 < 6.6.143
Linux ≫ Linux Kernel Version >= 6.7 < 6.12.94
Linux ≫ Linux Kernel Version >= 6.13 < 6.18.36
Linux ≫ Linux Kernel Version >= 6.19 < 7.0.13
Linux ≫ Linux Kernel Version7.1 Updaterc1
Linux ≫ Linux Kernel Version7.1 Updaterc2
Linux ≫ Linux Kernel Version7.1 Updaterc3
Linux ≫ Linux Kernel Version7.1 Updaterc4
Linux ≫ Linux Kernel Version7.1 Updaterc5
Linux ≫ Linux Kernel Version7.1 Updaterc6
Linux ≫ Linux Kernel Version7.1 Updaterc7
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.1% | 0.012 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7 | 1 | 5.9 |
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-364 Signal Handler Race Condition
The product uses a signal handler that introduces a race condition.
CWE-416 Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
https://git.kernel.org/stable/c/0c2821665ff71be3f4b07ecece384669f2877f6a
https://git.kernel.org/stable/c/77a602b505ce4802915853cfc435a4722fab3e64
https://git.kernel.org/stable/c/c96786d6ff1acc1d54d9241e97767554c1dfdd5b
https://git.kernel.org/stable/c/198b5a14cca27263b9c14b20114c8092de15dfcb
https://git.kernel.org/stable/c/732fd9f0b9c1cdc6dfd77162ded60df005182cc0
https://access.redhat.com/security/cve/CVE-2026-53185
https://bugzilla.redhat.com/show_bug.cgi?id=2492735
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53185.json