Description
In the Linux kernel, the following vulnerability has been resolved:

s390/ap: use generic driver_override infrastructure

When the AP masks are updated via apmask_store() or aqmask_store(),
ap_bus_revise_bindings() is called after ap_attr_mutex has been
released.

This calls __ap_revise_reserved(), which accesses the driver_override
field without holding any lock, racing against a concurrent
driver_override_store() that may free the old string, resulting in a
potential UAF.

Fix this by using the driver-core driver_override infrastructure, which
protects all accesses with an internal spinlock.

Note that unlike most other buses, the AP bus does not check
driver_override in its match() callback; the override is checked in
ap_device_probe() and __ap_revise_reserved() instead.

Also note that we do not enable the driver_override feature of struct
bus_type, as AP - in contrast to most other buses - passes "" to
sysfs_emit() when the driver_override pointer is NULL. Thus, printing
"\n" instead of "(null)\n".

Additionally, AP has a custom counter that is modified in the
corresponding custom driver_override_store().
Published: 2026-06-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition in the Linux s390 AP bus allows an attacker to trigger a use‑after‑free of the driver_override string. When the AP mask is updated the apmask_store routine releases its mutex and then calls __ap_revise_reserved(), which reads driver_override without any protection. A concurrent driver_override_store can free the old string at the same time, causing the kernel to later access freed memory, corrupting state and potentially allowing arbitrary code execution. The weakness is a classic memory corruption flaw caused by inadequate synchronization during critical section updates.

Affected Systems

All Linux kernel installations running on IBM System z (s390) that use the AP bus and have not incorporated the driver_override fix. The original advisory does not enumerate specific kernel releases, but the fix is present in the commits referenced, indicating that any kernel version before these changes is presumed vulnerable. This includes older 5.x, 6.x and newer mainline kernels if the patch has not been applied.

Risk and Exploitability

The vulnerability is a medium‑severity use‑after‑free with a CVSS score of 5.5, EPSS score <1%, and is not listed in the CISA KEV catalog. The lack of spinlock protection allows a race that can lead to arbitrary code execution if an attacker can influence AP mask updates. Exploitation would still require local or privileged access that can invoke apmask_store or aqmask_store, potentially via exposed sysfs interfaces on the AP bus.

Generated by OpenCVE AI on June 26, 2026 at 02:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel release that includes the driver_override fix for the AP bus
  • If an upgrade is not immediately possible, backport the patch from the referenced Git commits and rebuild the kernel
  • After applying the fix, restrict write access to the AP bus driver_override and mask interfaces by adjusting the sysfs file permissions or disabling the interface if it is not required
  • Implement monitoring for unexpected writes to the AP bus sysfs entries or kernel log messages indicating activity on the AP bus during periods of high risk

Generated by OpenCVE AI on June 26, 2026 at 02:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416
CWE-766

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: s390/ap: use generic driver_override infrastructure When the AP masks are updated via apmask_store() or aqmask_store(), ap_bus_revise_bindings() is called after ap_attr_mutex has been released. This calls __ap_revise_reserved(), which accesses the driver_override field without holding any lock, racing against a concurrent driver_override_store() that may free the old string, resulting in a potential UAF. Fix this by using the driver-core driver_override infrastructure, which protects all accesses with an internal spinlock. Note that unlike most other buses, the AP bus does not check driver_override in its match() callback; the override is checked in ap_device_probe() and __ap_revise_reserved() instead. Also note that we do not enable the driver_override feature of struct bus_type, as AP - in contrast to most other buses - passes "" to sysfs_emit() when the driver_override pointer is NULL. Thus, printing "\n" instead of "(null)\n". Additionally, AP has a custom counter that is modified in the corresponding custom driver_override_store().
Title s390/ap: use generic driver_override infrastructure
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:30:47.982Z

Reserved: 2026-06-09T07:44:35.385Z

Link: CVE-2026-53116

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53116 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T02:30:17Z

Weaknesses
  • CWE-362

    Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

  • CWE-367

    Time-of-check Time-of-use (TOCTOU) Race Condition

  • CWE-416

    Use After Free

  • CWE-766

    Critical Data Element Declared Public