Description
In the Linux kernel, the following vulnerability has been resolved:

ipc/shm: serialize orphan cleanup with shm_nattch updates

shm_destroy_orphaned() walks the shm idr under shm_ids(ns).rwsem, but that
does not serialize all fields tested by shm_may_destroy(). In particular,
shm_nattch is updated while holding shm_perm.lock, and attach paths can do
that without holding the rwsem.

Do not decide that an orphaned segment is unused before taking the object
lock. Move the shm_may_destroy() check under shm_perm.lock, matching the
other destroy paths, and unlock the segment when it no longer qualifies
for removal.
Published: 2026-06-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s System V shared memory subsystem contains a race condition involving the orphan cleanup routine. When a kernel walk removes orphaned segments, the check that decides whether a segment can be destroyed does not hold the lock protecting the attachment counter. Although the counter is updated while holding a separate object lock, the cleanup path runs without that protection, allowing the counter to change concurrently. This synchronization hole can cause the kernel to incorrectly deem a segment unused or in use, leading to premature deletion of active segments, loss of data, crashes, or memory leaks. Based on the description, it is inferred that the flaw itself does not rely on any external, untrusted input.

Affected Systems

All Linux kernel builds that have not incorporated the patch found in commits 030bbc8, 1f0d01e, 2e5c6f4, 6560be3, 92cda25, b1e9aef, b5107b4, and db752eb are affected. The vulnerability is present in any Kernel release prior to these commits, regardless of distribution; it applies to the core `ipc/shm` implementation in the mainline kernel.

Risk and Exploitability

Based on the description, it is inferred that the attacker needs local or kernel-level privileges to create or attach to System V shared memory segments while the kernel is performing orphan cleanup. The flaw does not depend on untrusted input and requires a local process that can create or attach to System V shared memory segments while the kernel is performing orphan cleanup. Thus the attack surface is local (or a component with kernel privileges). No publicly known remote exploit or exploitation chain is documented, and the EPSS score is 0.00165. The vulnerability is not listed in the CISA KEV catalog. An attacker with sufficient local privileges could leverage the race to trigger memory corruption, crash services, or exhaust system resources, resulting in a denial of service. The CVSS score is 5.5.

Generated by OpenCVE AI on June 25, 2026 at 03:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a revision that contains the corrective patch found in the listed commits
  • Restrict local user capabilities by ensuring that only trusted users or processes have the capability to create or attach to System V shared memory segments (e.g., via SELinux/AppArmor profiles or by limiting CAP_SYS_ADMIN).
  • Schedule a maintenance window to apply the patch or roll out a kernel configuration that serializes the orphan cleanup logic; until the fix is applied, isolate the system from untrusted networks or events.

Generated by OpenCVE AI on June 25, 2026 at 03:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Thu, 25 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-821
CWE-824

Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-821
CWE-824

Wed, 24 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ipc/shm: serialize orphan cleanup with shm_nattch updates shm_destroy_orphaned() walks the shm idr under shm_ids(ns).rwsem, but that does not serialize all fields tested by shm_may_destroy(). In particular, shm_nattch is updated while holding shm_perm.lock, and attach paths can do that without holding the rwsem. Do not decide that an orphaned segment is unused before taking the object lock. Move the shm_may_destroy() check under shm_perm.lock, matching the other destroy paths, and unlock the segment when it no longer qualifies for removal.
Title ipc/shm: serialize orphan cleanup with shm_nattch updates
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T07:14:22.704Z

Reserved: 2026-06-09T07:44:35.369Z

Link: CVE-2026-52930

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52930 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T03:30:17Z

Weaknesses
  • CWE-367

    Time-of-check Time-of-use (TOCTOU) Race Condition