Description
In the Linux kernel, the following vulnerability has been resolved:

misc: fastrpc: fix use-after-free race in fastrpc_map_create

fastrpc_map_lookup returns a raw pointer after releasing fl->lock. The
caller fastrpc_map_create then calls fastrpc_map_get (kref_get_unless_zero)
on this unprotected pointer. A concurrent MEM_UNMAP can free the map
between the lock release and the kref operation, resulting in a
use-after-free on the freed slab object.

Restore the take_ref parameter to fastrpc_map_lookup so the reference
is acquired atomically under fl->lock before the pointer is exposed to
the caller.
Published: 2026-06-25
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a race condition that results in a use‑after‑free in the fastrpc subsystem of the Linux kernel. During fastrpc_map_lookup the lock is released before a pointer to the map is returned. If a concurrent MEM_UNMAP frees the map between this release and the subsequent kref_get_unless_zero call in fastrpc_map_create, the kernel touches invalid memory, which can cause a crash or, if the attacker can control the freed memory contents, arbitrary code execution.

Affected Systems

All Linux kernel builds that have not applied the fastrpc_map_create patch are susceptible. The affected vendor is Linux, and the product is the Linux kernel. No specific version range is supplied, so any kernel older or equal to the commit before the patch is potentially vulnerable.

Risk and Exploitability

Because the description does not provide a CVSS score or EPSS metric, the exact risk profile is uncertain, but a use‑after‑free in kernel code is typically high severity. The vulnerability is local to the system and requires the attacker to trigger the race in a way that leads to a kernel memory fault. It is not listed in CISA's KEV catalog, and no EPSS data is available, so the current exploitation probability cannot be quantified.

Generated by OpenCVE AI on June 25, 2026 at 10:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that includes the fastrpc_map_create patch.
  • If immediate kernel upgrade is not possible, apply the patch directly from the commit referenced in the CVE.
  • Disable the fastrpc subsystem if it is not required by your workload to eliminate the attack surface.

Generated by OpenCVE AI on June 25, 2026 at 10:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 11:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: fix use-after-free race in fastrpc_map_create fastrpc_map_lookup returns a raw pointer after releasing fl->lock. The caller fastrpc_map_create then calls fastrpc_map_get (kref_get_unless_zero) on this unprotected pointer. A concurrent MEM_UNMAP can free the map between the lock release and the kref operation, resulting in a use-after-free on the freed slab object. Restore the take_ref parameter to fastrpc_map_lookup so the reference is acquired atomically under fl->lock before the pointer is exposed to the caller.
Title misc: fastrpc: fix use-after-free race in fastrpc_map_create
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:38:42.138Z

Reserved: 2026-06-09T07:44:35.388Z

Link: CVE-2026-53160

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T10:45:16Z

Weaknesses