CVE-2026-53064 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

dm cache: fix null-deref with concurrent writes in passthrough mode

In passthrough mode, when dm-cache starts to invalidate a cache
entry and bio prison cell lock fails due to concurrent write to
the same cached block, mg->cell remains NULL. The error path in
invalidate_complete() attempts to unlock and free the cell
unconditionally, causing a NULL pointer dereference:

KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 UID: 0 PID: 134 Comm: fio Not tainted 6.19.0-rc7 #3 PREEMPT
RIP: 0010:dm_cell_unlock_v2+0x3f/0x210
<snip>
Call Trace:
invalidate_complete+0xef/0x430
map_bio+0x130f/0x1a10
cache_map+0x320/0x6b0
__map_bio+0x458/0x510
dm_submit_bio+0x40e/0x16d0
__submit_bio+0x419/0x870
<snip>

Reproduce steps:

1. Create a cache device

dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup create corig --table "0 262144 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
dmsetup create cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"

2. Promote the first data block into cache

fio --filename=/dev/mapper/cache --name=populate --rw=write --bs=4k \
--direct=1 --size=64k

3. Reload the cache into passthrough mode

dmsetup suspend cache
dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0"
dmsetup resume cache

4. Write to the first cached block concurrently

fio --filename=/dev/mapper/cache --name test --rw=randwrite --bs=4k \
--randrepeat=0 --direct=1 --numjobs=2 --size 64k

Fix by checking if mg->cell is valid before attempting to unlock it.

Published: 2026-06-24

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability originates in the Linux kernel’s dm-cache module when operating in passthrough mode. During cache entry invalidation, a concurrent write to the same block can cause a lock failure, leaving a pointer null. The error path then attempts to unlock and free this null pointer, leading to a kernel panic or system hang. This null‑pointer dereference does not directly provide remote code execution, but may cause system instability. The possibility that an attacker could exploit such instability for privilege escalation or persistence is inferred from the description and is not explicitly stated in the CVE data.

Affected Systems

This flaw affects the Linux Kernel, specifically any release that includes the unpatched dm-cache implementation. There are no explicit version numbers listed in the CVE data, suggesting that the issue existed in versions up to at least 6.19.0-rc7. All systems running a vulnerable kernel that enable dm-cache in passthrough mode are impacted.

Risk and Exploitability

The CVSS score is not provided in the data, and no EPSS score is available, so the exact exploitation probability cannot be quantified. The write operations required for reproduction involve local access to block devices and the use of tools such as fio. This indicates that the exploit requires local or privileged access, but this inference is based on the reproduction steps and is not explicitly stated in the CVE description. The kernel panic can theoretically be triggered by any process capable of performing concurrent writes; however, this is an inference from the issue context rather than an explicit statement. While it does not facilitate immediate remote code execution, repeated or sustained kernel crashes can be effectively used for denial of service. The vulnerability is not listed in the CISA KEV catalog, so official exploitation reports are not available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`b29d4986d0da1a27cd35917cdb433672f5c95d7f`	affected	< 01264a6a3a3ad7ac1d73443299cd5a9568002454
`b29d4986d0da1a27cd35917cdb433672f5c95d7f`	affected	< ee38fb00e1a80f46a4990e38f25ecb04ae7b7417
`b29d4986d0da1a27cd35917cdb433672f5c95d7f`	affected	< c7fb6bc864c4910b344dafa36dd5028e9b980768
`b29d4986d0da1a27cd35917cdb433672f5c95d7f`	affected	< 0aa745fea1f8dc81bcdd0a45e215b6706727b482
`b29d4986d0da1a27cd35917cdb433672f5c95d7f`	affected	< a2635d541a93fd111e743cf14b6275dc81be2abc
`b29d4986d0da1a27cd35917cdb433672f5c95d7f`	affected	< 25dcc1989c194ba2b5fb6d03cbb9b83814ac0d15
`b29d4986d0da1a27cd35917cdb433672f5c95d7f`	affected	< df3b8ef06cc62de4fca5d2108e285085b3cffd44
`b29d4986d0da1a27cd35917cdb433672f5c95d7f`	affected	< 7d1f98d668ee34c1d15bdc0420fdd062f24a27c0

Linux

affected

Version	Status	Constraints
`4.12`	affected	—
`0`	unaffected	< 4.12
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.141`	unaffected	≤ 6.6.*
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that incorporates the dm-cache patch (committed to mainline in 6.19.1 or later).
Reboot the affected system after applying the kernel update to ensure the patched module is loaded.
Temporarily switch dm-cache to a non‑passthrough mode (e.g., write‑through or fallback) until the patch is available.

Generated by OpenCVE AI on June 24, 2026 at 20:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/01264a6a3a3ad7ac1d73443299cd5a9568002454
https://git.kernel.org/stable/c/0aa745fea1f8dc81bcdd0a45e215b6706727b482
https://git.kernel.org/stable/c/25dcc1989c194ba2b5fb6d03cbb9b83814ac0d15
https://git.kernel.org/stable/c/7d1f98d668ee34c1d15bdc0420fdd062f24a27c0
https://git.kernel.org/stable/c/a2635d541a93fd111e743cf14b6275dc81be2abc
https://git.kernel.org/stable/c/c7fb6bc864c4910b344dafa36dd5028e9b980768
https://git.kernel.org/stable/c/df3b8ef06cc62de4fca5d2108e285085b3cffd44
https://git.kernel.org/stable/c/ee38fb00e1a80f46a4990e38f25ecb04ae7b7417

History

Wed, 24 Jun 2026 21:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: dm cache: fix null-deref with concurrent writes in passthrough mode In passthrough mode, when dm-cache starts to invalidate a cache entry and bio prison cell lock fails due to concurrent write to the same cached block, mg->cell remains NULL. The error path in invalidate_complete() attempts to unlock and free the cell unconditionally, causing a NULL pointer dereference: KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 UID: 0 PID: 134 Comm: fio Not tainted 6.19.0-rc7 #3 PREEMPT RIP: 0010:dm_cell_unlock_v2+0x3f/0x210 <snip> Call Trace: invalidate_complete+0xef/0x430 map_bio+0x130f/0x1a10 cache_map+0x320/0x6b0 __map_bio+0x458/0x510 dm_submit_bio+0x40e/0x16d0 __submit_bio+0x419/0x870 <snip> Reproduce steps: 1. Create a cache device dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 131072 linear /dev/sdc 8192" dmsetup create corig --table "0 262144 linear /dev/sdc 262144" dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct dmsetup create cache --table "0 262144 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" 2. Promote the first data block into cache fio --filename=/dev/mapper/cache --name=populate --rw=write --bs=4k \ --direct=1 --size=64k 3. Reload the cache into passthrough mode dmsetup suspend cache dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0" dmsetup resume cache 4. Write to the first cached block concurrently fio --filename=/dev/mapper/cache --name test --rw=randwrite --bs=4k \ --randrepeat=0 --direct=1 --numjobs=2 --size 64k Fix by checking if mg->cell is valid before attempting to unlock it.
Title		dm cache: fix null-deref with concurrent writes in passthrough mode
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/01264a6a3a3ad7ac1d73443299cd5a9568002454 https://git.kernel.org/stable/c/0aa745fea1f8dc81bcdd0a45e215b6706727b482 https://git.kernel.org/stable/c/25dcc1989c194ba2b5fb6d03cbb9b83814ac0d15 https://git.kernel.org/stable/c/7d1f98d668ee34c1d15bdc0420fdd062f24a27c0 https://git.kernel.org/stable/c/a2635d541a93fd111e743cf14b6275dc81be2abc https://git.kernel.org/stable/c/c7fb6bc864c4910b344dafa36dd5028e9b980768 https://git.kernel.org/stable/c/df3b8ef06cc62de4fca5d2108e285085b3cffd44 https://git.kernel.org/stable/c/ee38fb00e1a80f46a4990e38f25ecb04ae7b7417

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:30:07.536Z

Updated: 2026-06-24T16:30:07.536Z

Reserved: 2026-06-09T07:44:35.382Z

Link: CVE-2026-53064

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T21:00:11Z

Weaknesses

CWE-476
NULL Pointer Dereference

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object