Description
In the Linux kernel, the following vulnerability has been resolved:

efi/capsule-loader: fix incorrect sizeof in phys array reallocation

The krealloc() call for cap_info->phys in __efi_capsule_setup_info() uses
sizeof(phys_addr_t *) instead of sizeof(phys_addr_t), which might be
causing an undersized allocation.

The allocation is also inconsistent with the initial array allocation in
efi_capsule_open() that allocates one entry with sizeof(phys_addr_t),
and the efi_capsule_write() function that stores phys_addr_t values (not
pointers) via page_to_phys().

On 64-bit systems where sizeof(phys_addr_t) == sizeof(phys_addr_t *), this
goes unnoticed. On 32-bit systems with PAE where phys_addr_t is 64-bit but
pointers are 32-bit, this allocates half the required space, which might
lead to a heap buffer overflow when storing physical addresses.

This is similar to the bug fixed in commit fccfa646ef36 ("efi/capsule-loader:
fix incorrect allocation size") which fixed the same issue at the initial
allocation site.
Published: 2026-06-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from an incorrect use of sizeof in a kernel reallocation routine for the EFI capsule loader. On 32‑bit PAE systems, the reallocation uses the size of a pointer rather than the size of a 64‑bit physical address, causing the allocated memory to be half the required space. This misallocation can lead to a heap buffer overflow when the kernel stores physical address values, potentially compromising kernel memory integrity. The weakness is classified as CWE‑131, Incorrect Size of Allocation.

Affected Systems

The issue affects Linux kernel implementations that run on 32‑bit systems with Physical Address Extension (PAE) and that include the EFI capsule loader. Specific kernel versions are not listed, but the patch is present in commits after the bug was introduced. Administrators should verify whether their running kernel contains the EFI capsule loader code paths that were patched.

Risk and Exploitability

The flawed allocation may be triggered when the kernel processes EFI capsule data containing physical addresses. An attacker capable of supplying or manipulating such capsule data could cause kernel memory corruption, leading to privilege escalation or denial of service. The CVSS score of 5.5 and the EPSS score of less than 1% indicate moderate severity and a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The most likely attack vector is the injection of malicious EFI capsule data through firmware update mechanisms, which is inferred rather than directly stated.

Generated by OpenCVE AI on June 26, 2026 at 04:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the operating system to a kernel version that contains the patch which corrects the incorrect sizeof in the EFI capsule loader reallocation.
  • Disable or limit the use of UEFI capsule updates if the system does not require dynamic firmware updates, to reduce the attack surface.
  • Monitor system logs for signs of kernel crashes or memory corruption events that might indicate exploitation attempts.

Generated by OpenCVE AI on June 26, 2026 at 04:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Fri, 26 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
CWE-125

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
CWE-125

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: efi/capsule-loader: fix incorrect sizeof in phys array reallocation The krealloc() call for cap_info->phys in __efi_capsule_setup_info() uses sizeof(phys_addr_t *) instead of sizeof(phys_addr_t), which might be causing an undersized allocation. The allocation is also inconsistent with the initial array allocation in efi_capsule_open() that allocates one entry with sizeof(phys_addr_t), and the efi_capsule_write() function that stores phys_addr_t values (not pointers) via page_to_phys(). On 64-bit systems where sizeof(phys_addr_t) == sizeof(phys_addr_t *), this goes unnoticed. On 32-bit systems with PAE where phys_addr_t is 64-bit but pointers are 32-bit, this allocates half the required space, which might lead to a heap buffer overflow when storing physical addresses. This is similar to the bug fixed in commit fccfa646ef36 ("efi/capsule-loader: fix incorrect allocation size") which fixed the same issue at the initial allocation site.
Title efi/capsule-loader: fix incorrect sizeof in phys array reallocation
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:29:53.491Z

Reserved: 2026-06-09T07:44:35.381Z

Link: CVE-2026-53047

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53047 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T04:30:17Z

Weaknesses
  • CWE-131

    Incorrect Calculation of Buffer Size