Description
In the Linux kernel, the following vulnerability has been resolved:

misc: fastrpc: fix use-after-free race in fastrpc_map_create

fastrpc_map_lookup returns a raw pointer after releasing fl->lock. The
caller fastrpc_map_create then calls fastrpc_map_get (kref_get_unless_zero)
on this unprotected pointer. A concurrent MEM_UNMAP can free the map
between the lock release and the kref operation, resulting in a
use-after-free on the freed slab object.

Restore the take_ref parameter to fastrpc_map_lookup so the reference
is acquired atomically under fl->lock before the pointer is exposed to
the caller.
Published: 2026-06-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The fastrpc_map_lookup function returns a pointer after releasing a lock, and a concurrent MEM_UNMAP can free that map before fastrpc_map_create calls kref_get_unless_zero on the pointer. This results in a use‑after‑free that can crash the kernel. The flaw is a race condition (CWE‑366).

Affected Systems

Any Linux kernel build that has not incorporated the commit restoring the take_ref parameter in fastrpc_map_lookup is affected. The product is the Linux kernel; version information is not supplied, so all kernels prior to the patch are at risk.

Risk and Exploitability

The CVSS score is 7.8. The EPSS score is less than 1% and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a race with a MEM_UNMAP operation and kernel‑level access, making the attack path non‑trivial. The likely attack vector is local kernel execution, but external exploitation is not explicitly documented. Given the moderate likelihood but high severity, overall risk is moderate.

Generated by OpenCVE AI on June 28, 2026 at 14:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to a kernel release that contains the fastrpc_map_create fix.
  • If the distribution has not yet shipped the patch, backport the commit to your local kernel tree, rebuild, and reboot.
  • If patching is not possible, disable the fastrpc subsystem by setting CONFIG_FSTRPC=n in the kernel configuration and recompiling.

Generated by OpenCVE AI on June 28, 2026 at 14:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Fri, 26 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 26 Jun 2026 12:15:00 +0000


Thu, 25 Jun 2026 11:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: fix use-after-free race in fastrpc_map_create fastrpc_map_lookup returns a raw pointer after releasing fl->lock. The caller fastrpc_map_create then calls fastrpc_map_get (kref_get_unless_zero) on this unprotected pointer. A concurrent MEM_UNMAP can free the map between the lock release and the kref operation, resulting in a use-after-free on the freed slab object. Restore the take_ref parameter to fastrpc_map_lookup so the reference is acquired atomically under fl->lock before the pointer is exposed to the caller.
Title misc: fastrpc: fix use-after-free race in fastrpc_map_create
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:39:36.143Z

Reserved: 2026-06-09T07:44:35.388Z

Link: CVE-2026-53160

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53160 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T15:00:12Z

Weaknesses
  • CWE-366

    Race Condition within a Thread