7.8
CVE-2026-53273
- EPSS 0.13%
- Veröffentlicht 25.06.2026 08:39:57
- Zuletzt bearbeitet 08.07.2026 04:00:54
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
tee: optee: prevent use-after-free when the client exits before the supplicant
In the Linux kernel, the following vulnerability has been resolved:
tee: optee: prevent use-after-free when the client exits before the supplicant
Commit 70b0d6b0a199 ("tee: optee: Fix supplicant wait loop") made the
client wait as killable so it can be interrupted during shutdown or
after a supplicant crash. This changes the original lifetime expectations:
the client task can now terminate while the supplicant is still processing
its request.
If the client exits first it removes the request from its queue and
kfree()s it, while the request ID remains in supp->idr. A subsequent
lookup on the supplicant path then dereferences freed memory, leading to
a use-after-free.
Serialise access to the request with supp->mutex:
* Hold supp->mutex in optee_supp_recv() and optee_supp_send() while
looking up and touching the request.
* Let optee_supp_thrd_req() notice that the client has terminated and
signal optee_supp_send() accordingly.
With these changes the request cannot be freed while the supplicant still
has a reference, eliminating the race.Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 5.4.291 < 5.5
Linux ≫ Linux Kernel Version >= 5.10.235 < 5.10.259
Linux ≫ Linux Kernel Version >= 5.15.179 < 5.15.210
Linux ≫ Linux Kernel Version >= 6.1.130 < 6.1.176
Linux ≫ Linux Kernel Version >= 6.6.80 < 6.6.143
Linux ≫ Linux Kernel Version >= 6.12.17 < 6.12.94
Linux ≫ Linux Kernel Version >= 6.13.5 < 6.14
Linux ≫ Linux Kernel Version >= 6.14.1 < 6.18.36
Linux ≫ Linux Kernel Version >= 6.19 < 7.0.13
Linux ≫ Linux Kernel Version6.14 Update-
Linux ≫ Linux Kernel Version6.14 Updaterc4
Linux ≫ Linux Kernel Version6.14 Updaterc5
Linux ≫ Linux Kernel Version6.14 Updaterc6
Linux ≫ Linux Kernel Version6.14 Updaterc7
Linux ≫ Linux Kernel Version7.1 Updaterc1
Linux ≫ Linux Kernel Version7.1 Updaterc2
Linux ≫ Linux Kernel Version7.1 Updaterc3
Linux ≫ Linux Kernel Version7.1 Updaterc4
Linux ≫ Linux Kernel Version7.1 Updaterc5
Linux ≫ Linux Kernel Version7.1 Updaterc6
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.13% | 0.026 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-416 Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
https://git.kernel.org/stable/c/416259cb5bffecaaae5f76539deb535a8c1b2c34
https://git.kernel.org/stable/c/724d0caffd4204b46f78efe22f18f8338031c6e1
https://git.kernel.org/stable/c/ae847ab29ded2d7cece4d5970f0edefa4137bf2f
https://git.kernel.org/stable/c/9a0dc9279d0907b198f205a693aedf696b08145d
https://git.kernel.org/stable/c/d366a01475f927402c96a3fe78bfc06b924fc87d
https://git.kernel.org/stable/c/d5b57bb314d79e99bebb58a53588fa11dd4dbf69
https://git.kernel.org/stable/c/373152c94e57e9592b68c100e224fbd943cfd608
https://git.kernel.org/stable/c/387a926ee166814611acecb960207fe2f3c4fd3e