CVE-2026-53061 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

dm cache: fix dirty mapping checking in passthrough mode switching

As mentioned in commit 9b1cc9f251af ("dm cache: share cache-metadata
object across inactive and active DM tables"), dm-cache assumed table
reload occurs after suspension, while LVM's table preload breaks this
assumption. The dirty mapping check for passthrough mode was designed
around this assumption and is performed during table creation, causing
the check to fail with preload while metadata updates are ongoing. This
risks loading dirty mappings into passthrough mode, resulting in data
loss.

Reproduce steps:

1. Create a writeback cache with zero migration_threshold to produce
dirty mappings

dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup create corig --table "0 262144 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
dmsetup create cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writeback smq \
2 migration_threshold 0"

2. Preload a table in passthrough mode

dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0"

3. Write to the first cache block to make it dirty

fio --filename=/dev/mapper/cache --name=populate --rw=write --bs=4k \
--direct=1 --size=64k

4. Resume the inactive table. Now it's possible to load the dirty block
into passthrough mode.

dmsetup resume cache

Fix by moving the checks to the preresume phase to support table
preloading. Also remove the unused function dm_cache_metadata_all_clean.

Published: 2026-06-24

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The bug occurs when the dm-cache subsystem performs a dirty mapping check during table creation, based on an assumption that the table reload will happen after suspend. LVM’s table preload code violates this assumption. As a result, dirty blocks may bypass the check and be loaded into a passthrough table, exposing stale or dirty data through the device. The consequence is data loss and the weakness is a logic flaw that allows incorrect state validation, corresponding to CWE‑682. The classification as CWE‑682 is inferred from the description.

Affected Systems

All Linux kernel releases that include the dm-cache subsystem are potentially affected, since a specific kernel version was not provided. The vulnerability applies to the Linux operating system’s device mapper cache component (dm‑cache) at the kernel level. Any configuration that uses dm‑cache passthrough mode might be impacted.

Risk and Exploitability

The CVSS score is not listed, and the EPSS score is unavailable, so the precise risk level cannot be quantified from the data. The vulnerability is only exploitable by a privileged user who can create or alter dm‑cache tables; this is inferred from the description and is typically a root or system administrator. The risk is data loss rather than remote code execution. The vulnerability is not listed in CISA’s KEV catalog, indicating no known public exploitation at this time. Attackers would need to trigger the described sequence of cache creation, table preload, data writing, and table suspension, implying a local environment with kernel module control.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`2ee57d587357f0d752af6c2e3e46434a74b1bee3`	affected	< c2e86f647561fcf5e1c6eba7d75e9e0c4299c94d
`2ee57d587357f0d752af6c2e3e46434a74b1bee3`	affected	< 5c98a3f1d7a554c9e920aa31daf92af6b5bbb8cc
`2ee57d587357f0d752af6c2e3e46434a74b1bee3`	affected	< 1443c32f24d6d8bcdf4beceef2afc09290b98717
`2ee57d587357f0d752af6c2e3e46434a74b1bee3`	affected	< 12105c7f18375d7615dad7605d89eadae7eb12a6
`2ee57d587357f0d752af6c2e3e46434a74b1bee3`	affected	< bd5a2c1018938e6b32670728bdb32a3f0efff00f
`2ee57d587357f0d752af6c2e3e46434a74b1bee3`	affected	< 21c503d60a257e54ca3ac58e2721bd24501d5bde
`2ee57d587357f0d752af6c2e3e46434a74b1bee3`	affected	< 01b22656d8a68dbeae59f8b80866e7b11936b20a
`2ee57d587357f0d752af6c2e3e46434a74b1bee3`	affected	< 322586745bd1a0e5f3559fd1635fdeb4dbd1d6b8

Linux

affected

Version	Status	Constraints
`3.13`	affected	—
`0`	unaffected	< 3.13
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.141`	unaffected	≤ 6.6.*
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that incorporates the dm‑cache fix that moves the dirty mapping check to the pre‑resume phase.
If an update is not immediately available, avoid using dm‑cache in passthrough mode until the patch is applied or disable passthrough mode for critical devices.
Before reloading a dm‑cache table that has recently been used, flush or clear dirty mappings by setting a non‑zero migration threshold or executing a clean operation to eliminate dirty blocks.

Generated by OpenCVE AI on June 24, 2026 at 20:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/01b22656d8a68dbeae59f8b80866e7b11936b20a
https://git.kernel.org/stable/c/12105c7f18375d7615dad7605d89eadae7eb12a6
https://git.kernel.org/stable/c/1443c32f24d6d8bcdf4beceef2afc09290b98717
https://git.kernel.org/stable/c/21c503d60a257e54ca3ac58e2721bd24501d5bde
https://git.kernel.org/stable/c/322586745bd1a0e5f3559fd1635fdeb4dbd1d6b8
https://git.kernel.org/stable/c/5c98a3f1d7a554c9e920aa31daf92af6b5bbb8cc
https://git.kernel.org/stable/c/bd5a2c1018938e6b32670728bdb32a3f0efff00f
https://git.kernel.org/stable/c/c2e86f647561fcf5e1c6eba7d75e9e0c4299c94d

History

Wed, 24 Jun 2026 20:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-682

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: dm cache: fix dirty mapping checking in passthrough mode switching As mentioned in commit 9b1cc9f251af ("dm cache: share cache-metadata object across inactive and active DM tables"), dm-cache assumed table reload occurs after suspension, while LVM's table preload breaks this assumption. The dirty mapping check for passthrough mode was designed around this assumption and is performed during table creation, causing the check to fail with preload while metadata updates are ongoing. This risks loading dirty mappings into passthrough mode, resulting in data loss. Reproduce steps: 1. Create a writeback cache with zero migration_threshold to produce dirty mappings dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 131072 linear /dev/sdc 8192" dmsetup create corig --table "0 262144 linear /dev/sdc 262144" dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct dmsetup create cache --table "0 262144 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writeback smq \ 2 migration_threshold 0" 2. Preload a table in passthrough mode dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0" 3. Write to the first cache block to make it dirty fio --filename=/dev/mapper/cache --name=populate --rw=write --bs=4k \ --direct=1 --size=64k 4. Resume the inactive table. Now it's possible to load the dirty block into passthrough mode. dmsetup resume cache Fix by moving the checks to the preresume phase to support table preloading. Also remove the unused function dm_cache_metadata_all_clean.
Title		dm cache: fix dirty mapping checking in passthrough mode switching
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/01b22656d8a68dbeae59f8b80866e7b11936b20a https://git.kernel.org/stable/c/12105c7f18375d7615dad7605d89eadae7eb12a6 https://git.kernel.org/stable/c/1443c32f24d6d8bcdf4beceef2afc09290b98717 https://git.kernel.org/stable/c/21c503d60a257e54ca3ac58e2721bd24501d5bde https://git.kernel.org/stable/c/322586745bd1a0e5f3559fd1635fdeb4dbd1d6b8 https://git.kernel.org/stable/c/5c98a3f1d7a554c9e920aa31daf92af6b5bbb8cc https://git.kernel.org/stable/c/bd5a2c1018938e6b32670728bdb32a3f0efff00f https://git.kernel.org/stable/c/c2e86f647561fcf5e1c6eba7d75e9e0c4299c94d

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:30:05.522Z

Updated: 2026-06-24T16:30:05.522Z

Reserved: 2026-06-09T07:44:35.382Z

Link: CVE-2026-53061

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T20:15:07Z

Weaknesses

CWE-682
Incorrect Calculation

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object