Description
In the Linux kernel, the following vulnerability has been resolved:

memcg: use round-robin victim selection in refill_stock

Harry Yoo reported that get_random_u32_below() is not safe to call in the
nmi context and memcg charge draining can happen in nmi context.

More specifically get_random_u32_below() is neither reentrant- nor
NMI-safe: it acquires a per-cpu local_lock via local_lock_irqsave() on the
batched_entropy_u32 state. An NMI that lands on a CPU mid-update of the
ChaCha batch state and recurses into the random subsystem would corrupt
that state. The memcg_stock local_trylock prevents re-entry on the percpu
stock itself, but cannot protect an unrelated subsystem's per-cpu lock.

Replace the random pick with a per-cpu round-robin counter stored in
memcg_stock_pcp and serialized by the same local_trylock that already
guards cached[] and nr_pages[]. No atomics, no random calls, no extra
locks needed.
Published: 2026-06-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises in the Linux kernel’s memory‑control group subsystem when the function get_random_u32_below() is invoked during a non‑re‑entrant NMI context, corrupting the ChaCha entropy state and potentially resulting in kernel memory corruption. This flaw is present in the victim selection logic for refill_stock, where a random pick can be unsafe. The resulting memory corruption can lead to a kernel panic, denial of service, or, if the attacker can trigger the corruption, privilege escalation.

Affected Systems

All Linux kernel builds that have not incorporated the recent patch replacing get_random_u32_below() with a per‑CPU round‑robin counter are affected. The fix appears in the mainline kernel, and any distribution still using an older kernel version is vulnerable. The issue resides in kernel memory control group code and does not affect user‑space applications directly.

Risk and Exploitability

The EPSS score of <1% indicates a very low probability of exploitation, and the CVE is not listed in CISA KEV, suggesting no publicly known exploits. Based on the description, it is inferred that the likely attack vector involves inducing a hardware NMI while the kernel is updating the ChaCha entropy state—a scenario unlikely without physical or advanced firmware access. However, if exploited, the kernel memory corruption that ensues could lead to system crashes or, in a forced scenario, privilege escalation. The CVSS score of 7.8 denotes high severity.

Generated by OpenCVE AI on June 28, 2026 at 14:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Linux kernel version that includes the memcg refill_stock round‑robin patch (e.g., commit 00731bd7e18f182a32ca54d6b176eaa470b51ed7).
  • If an immediate kernel upgrade is not possible, apply a backport or custom patch that replaces get_random_u32_below() with a per‑CPU counter to enforce safe victim selection.
  • Limit or disable hardware NMI traffic through BIOS/firmware settings to reduce the window for triggering the vulnerable path until a kernel fix is applied.

Generated by OpenCVE AI on June 28, 2026 at 14:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-327
CWE-674

Fri, 26 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-366
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Thu, 25 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-327
CWE-674

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: memcg: use round-robin victim selection in refill_stock Harry Yoo reported that get_random_u32_below() is not safe to call in the nmi context and memcg charge draining can happen in nmi context. More specifically get_random_u32_below() is neither reentrant- nor NMI-safe: it acquires a per-cpu local_lock via local_lock_irqsave() on the batched_entropy_u32 state. An NMI that lands on a CPU mid-update of the ChaCha batch state and recurses into the random subsystem would corrupt that state. The memcg_stock local_trylock prevents re-entry on the percpu stock itself, but cannot protect an unrelated subsystem's per-cpu lock. Replace the random pick with a per-cpu round-robin counter stored in memcg_stock_pcp and serialized by the same local_trylock that already guards cached[] and nr_pages[]. No atomics, no random calls, no extra locks needed.
Title memcg: use round-robin victim selection in refill_stock
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:39:38.906Z

Reserved: 2026-06-09T07:44:35.388Z

Link: CVE-2026-53162

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53162 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:30:07Z

Weaknesses
  • CWE-366

    Race Condition within a Thread