Description
In the Linux kernel, the following vulnerability has been resolved:

quota: Fix race of dquot_scan_active() with quota deactivation

dquot_scan_active() can race with quota deactivation in
quota_release_workfn() like:

CPU0 (quota_release_workfn) CPU1 (dquot_scan_active)
============================== ==============================
spin_lock(&dq_list_lock);
list_replace_init(
&releasing_dquots, &rls_head);
/* dquot X on rls_head,
dq_count == 0,
DQ_ACTIVE_B still set */
spin_unlock(&dq_list_lock);
synchronize_srcu(&dquot_srcu);
spin_lock(&dq_list_lock);
list_for_each_entry(dquot,
&inuse_list, dq_inuse) {
/* finds dquot X */
dquot_active(X) -> true
atomic_inc(&X->dq_count);
}
spin_unlock(&dq_list_lock);
spin_lock(&dq_list_lock);
dquot = list_first_entry(&rls_head);
WARN_ON_ONCE(atomic_read(&dquot->dq_count));

The problem is not only a cosmetic one as under memory pressure the
caller of dquot_scan_active() can end up working on freed dquot.

Fix the problem by making sure the dquot is removed from releasing list
when we acquire a reference to it.
Published: 2026-06-24
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition exists between dquot_scan_active() and quota_release_workfn() in the Linux kernel's quota subsystem. During quota deactivation the releasing list of dquot objects is swapped while another thread scans active dquots, potentially acquiring a reference to an object that has already been freed. This can lead to use‑after‑free and kernel memory corruption. The excerpted code shows how a freed dquot can be manipulated. Based on the description, it is inferred that this leads to kernel memory corruption; the designer’s intention was to prevent a cosmetic inconsistency, but the flaw threatens stability and security.

Affected Systems

Any Linux kernel build that contains the generic quota implementation and is earlier than commit 2bdc80f4619411e5bd4a3ef23f51e14021ed457c is vulnerable. This includes the standard kernel trees used by most mainstream distributions. No specific kernel version numbers are enumerated in the advisory, so all kernels that expose quota activation/deactivation without the patch commit are affected. Exact affected releases cannot be listed because the input does not provide version ranges.

Risk and Exploitability

The CVSS score is 7.8, indicating moderate severity. The EPSS score is less than 1 %, which suggests a very low but non‑zero probability of exploitation observed in the wild. The vulnerability is not listed in the CISA KEV catalog, so no mass exploitation has been documented. Attacking this flaw would require local or elevated privileges to trigger the race by activating or deactivating quotas, so the attack surface is restricted to trusted administrators. The CVE description does not state the privilege required; based on typical kernel privileges, it is inferred that only privileged users can activate or deactivate quotas. If an attacker succeeds, the resulting memory corruption could cause a denial of service or, if the attacker can manipulate the freed memory, privilege escalation. Because the race is subtle, exploitation may be difficult to achieve but is not impossible in environments where the quota subsystem is used heavily.

Generated by OpenCVE AI on June 28, 2026 at 14:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a release that includes the patch committed at 2bdc80f4619411e5bd4a3ef23f51e14021ed457c
  • If an upgrade is not immediately possible, rebuild or backport the patch into the currently running kernel and install the updated kernel
  • Limit quota activation and deactivation to trusted administrators by tightening ACLs or requiring root privileges for these actions

Generated by OpenCVE AI on June 28, 2026 at 14:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Fri, 26 Jun 2026 05:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-617

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-366
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-617

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: quota: Fix race of dquot_scan_active() with quota deactivation dquot_scan_active() can race with quota deactivation in quota_release_workfn() like: CPU0 (quota_release_workfn) CPU1 (dquot_scan_active) ============================== ============================== spin_lock(&dq_list_lock); list_replace_init( &releasing_dquots, &rls_head); /* dquot X on rls_head, dq_count == 0, DQ_ACTIVE_B still set */ spin_unlock(&dq_list_lock); synchronize_srcu(&dquot_srcu); spin_lock(&dq_list_lock); list_for_each_entry(dquot, &inuse_list, dq_inuse) { /* finds dquot X */ dquot_active(X) -> true atomic_inc(&X->dq_count); } spin_unlock(&dq_list_lock); spin_lock(&dq_list_lock); dquot = list_first_entry(&rls_head); WARN_ON_ONCE(atomic_read(&dquot->dq_count)); The problem is not only a cosmetic one as under memory pressure the caller of dquot_scan_active() can end up working on freed dquot. Fix the problem by making sure the dquot is removed from releasing list when we acquire a reference to it.
Title quota: Fix race of dquot_scan_active() with quota deactivation
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:38:37.088Z

Reserved: 2026-06-09T07:44:35.381Z

Link: CVE-2026-53050

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53050 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:45:17Z

Weaknesses
  • CWE-366

    Race Condition within a Thread