CVE-2026-53067 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

PCI: endpoint: pci-ep-msi: Fix error unwind and prevent double alloc

pci_epf_alloc_doorbell() stores the allocated doorbell message array in
epf->db_msg/epf->num_db before requesting MSI vectors. If MSI allocation
fails, the array is freed but the EPF state may still point to freed
memory.

Clear epf->db_msg and epf->num_db on the MSI allocation failure path so
that later cleanup cannot double-free the array and callers can retry
allocation.

Also return -EBUSY when doorbells have already been allocated to prevent
leaking or overwriting an existing allocation.

Published: 2026-06-24

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel, the pci-ep-msi path was vulnerable when an MSI allocation failed. The code freed the doorbell message array but left the endpoint structure pointing to the freed memory. Subsequent cleanup could attempt to free the already‑freed array, leading to a double‑free or use‑after‑free scenario that can corrupt kernel memory. The patch eliminates the leak and prevents overwriting existing allocations by returning -EBUSY when doorbells are already allocated.

Affected Systems

All Linux kernel versions that contain the pci-ep-msi endpoint driver before the commit that introduces this fix are affected. This includes any distribution release whose kernel contains the original pci_epf_alloc_doorbell implementation. The vendor is Linux; the product is the Linux kernel.

Risk and Exploitability

The vulnerability can potentially allow an attacker with the ability to trigger MSI allocation failures on a PCI endpoint to corrupt kernel memory, which may lead to privilege escalation or denial of service. The lack of an EPSS score means exploitation probability is currently unknown, but the nature of the flaw suggests high potential severity. The vulnerability is not listed in CISA’s KEV catalog, implying no publicly known exploits, yet the kernel could be strategically targeted. An attacker would need to control a PCI endpoint or influence MSI allocation, so the attack vector is local to the host that owns the device.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1c3b002c6bf684b445a7107609979bca5f21bc03`	affected	< 175717cfc06cab79f84cd037d66dda1b8564cd9e
`1c3b002c6bf684b445a7107609979bca5f21bc03`	affected	< 3c25587fbf8797b92090b064a6d239a873e55fb1
`1c3b002c6bf684b445a7107609979bca5f21bc03`	affected	< 1cba96c0a795124c3229293ed7b5b5765e66f259

Linux

affected

Version	Status	Constraints
`6.17`	affected	—
`0`	unaffected	< 6.17
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply an updated Linux kernel that contains the pci-ep-msi double‑free fix.
Reboot the system to load the updated kernel and driver.
If an immediate kernel upgrade is not possible, manually apply the upstream patch from the kernel source and rebuild the endpoint driver with a version that does not use the buggy MSI allocation path.

Generated by OpenCVE AI on June 24, 2026 at 19:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/175717cfc06cab79f84cd037d66dda1b8564cd9e
https://git.kernel.org/stable/c/1cba96c0a795124c3229293ed7b5b5765e66f259
https://git.kernel.org/stable/c/3c25587fbf8797b92090b064a6d239a873e55fb1

History

Wed, 24 Jun 2026 19:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-415 CWE-416

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: pci-ep-msi: Fix error unwind and prevent double alloc pci_epf_alloc_doorbell() stores the allocated doorbell message array in epf->db_msg/epf->num_db before requesting MSI vectors. If MSI allocation fails, the array is freed but the EPF state may still point to freed memory. Clear epf->db_msg and epf->num_db on the MSI allocation failure path so that later cleanup cannot double-free the array and callers can retry allocation. Also return -EBUSY when doorbells have already been allocated to prevent leaking or overwriting an existing allocation.
Title		PCI: endpoint: pci-ep-msi: Fix error unwind and prevent double alloc
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/175717cfc06cab79f84cd037d66dda1b8564cd9e https://git.kernel.org/stable/c/1cba96c0a795124c3229293ed7b5b5765e66f259 https://git.kernel.org/stable/c/3c25587fbf8797b92090b064a6d239a873e55fb1

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:30:09.492Z

Updated: 2026-06-24T16:30:09.492Z

Reserved: 2026-06-09T07:44:35.382Z

Link: CVE-2026-53067

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T19:30:08Z

Weaknesses

CWE-415
Double Free
CWE-416
Use After Free

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object