-
CVE-2026-53341
- EPSS 0.16%
- Veröffentlicht 01.07.2026 13:32:22
- Zuletzt bearbeitet 04.07.2026 12:17:01
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
fhandle: fix UAF due to unlocked ->mnt_ns read in may_decode_fh()
In the Linux kernel, the following vulnerability has been resolved:
fhandle: fix UAF due to unlocked ->mnt_ns read in may_decode_fh()
may_decode_fh() accesses mount::mnt_ns without holding any locks; that
means the mount can concurrently be unmounted, and the mnt_namespace can
concurrently be freed after an RCU grace period.
This race can happens as follows, assuming that the mount point was
created by open_tree(..., OPEN_TREE_CLONE):
thread 1 thread 2 RCU
__do_sys_open_by_handle_at
do_handle_open
handle_to_path
may_decode_fh
is_mounted
[mount::mnt_ns access]
[mount::mnt_ns access]
__do_sys_close
fput_close_sync
__fput
dissolve_on_fput
umount_tree
class_namespace_excl_destructor
namespace_unlock
free_mnt_ns
mnt_ns_tree_remove
call_rcu(mnt_ns_release_rcu)
mnt_ns_release_rcu
mnt_ns_release
kfree
[mnt_namespace::user_ns access] **UAF**
Fix it by taking rcu_read_lock() around the mount::mnt_ns access, like
in __prepend_path().
Additionally, document the semantics of mount::mnt_ns, and use WRITE_ONCE()
for writers that can race with lockless readers.
This bug is unreachable unless one of the following is set:
- CONFIG_PREEMPTION
- CONFIG_RCU_STRICT_GRACE_PERIOD
because it requires an RCU grace period to happen during a syscall without
an explicit preemption.
This doesn't seem to have interesting security impact; worst-case, it could
leak the result of an integer comparison to userspace (from the level
check in cap_capable()), cause an endless loop, or crash the kernel by
dereferencing an invalid address.Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
≫
Produkt
Linux
Default Statusunaffected
Version
620c266f394932e5decc4b34683a75dfc59dc2f4
Version <
15ea8dc42a02259d49dee38a658d40f60fcd75ed
Status
affected
Version
620c266f394932e5decc4b34683a75dfc59dc2f4
Version <
32138633e51e6db59e474765cf93268c92b42888
Status
affected
Version
620c266f394932e5decc4b34683a75dfc59dc2f4
Version <
a8ed2c29fcfdac78db96c9da4e659c8a513f2a94
Status
affected
Version
620c266f394932e5decc4b34683a75dfc59dc2f4
Version <
40ab6644b99685755f740b872c00ef40d9aa870e
Status
affected
HerstellerLinux
≫
Produkt
Linux
Default Statusaffected
Version
6.11
Status
affected
Version
0
Version <
6.11
Status
unaffected
Version <=
6.12.*
Version
6.12.95
Status
unaffected
Version <=
6.18.*
Version
6.18.36
Status
unaffected
Version <=
7.0.*
Version
7.0.13
Status
unaffected
Version <=
*
Version
7.1
Status
unaffected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.16% | 0.052 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|
https://git.kernel.org/stable/c/32138633e51e6db59e474765cf93268c92b42888
https://git.kernel.org/stable/c/a8ed2c29fcfdac78db96c9da4e659c8a513f2a94
https://git.kernel.org/stable/c/40ab6644b99685755f740b872c00ef40d9aa870e
https://git.kernel.org/stable/c/15ea8dc42a02259d49dee38a658d40f60fcd75ed