Description
In the Linux kernel, the following vulnerability has been resolved:

locking/rtmutex: Skip remove_waiter() when waiter is not enqueued

syzbot triggered the following splat in remove_waiter() via
FUTEX_CMP_REQUEUE_PI:

KASAN: null-ptr-deref in range [0x0000000000000a88-0x0000000000000a8f]
class_raw_spinlock_constructor
remove_waiter+0x159/0x1200 kernel/locking/rtmutex.c:1561
rt_mutex_start_proxy_lock+0x103/0x120
futex_requeue+0x10e4/0x20d0
__x64_sys_futex+0x34f/0x4d0

task_blocks_on_rt_mutex() does not arm the waiter upon deadlock detection,
leaving waiter->task nil, where 3bfdc63936dd ("rtmutex: Use waiter::task instead
of current in remove_waiter()") made this fatal.

Furthermore, rt_mutex_start_proxy_lock() should not be calling into remove_waiter()
upon a successfully grabbing the rtmutex. 1a1fb985f2e2 ("futex: Handle early deadlock
return correctly"), moved the remove_waiter() out of __rt_mutex_start_proxy_lock()
(where 'ret' was only ever 0 or < 0) into the wrapper. Tighten this check to
account for try_to_take_rt_mutex().
Published: 2026-06-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Linux kernel’s rtmutex subsystem causes the remove_waiter() routine to be called without first confirming that a waiter is enqueued. The omission leads to a null‑pointer dereference and a kernel panic. The issue is triggered when a futex operation using FUTEX_CMP_REQUEUE_PI attempts to requeue a futex in the presence of an early deadlock return, a code path that was incorrectly handled after recent refactoring of rt_mutex_start_proxy_lock(). The resulting crash disrupts system availability, allowing a privileged or malicious user to force a reboot or render the host unusable.

Affected Systems

All Linux kernel builds that include the rtmutex implementation before the fix are affected. The CNA lists the product simply as Linux:Linux, and no specific version ranges are provided, indicating that the vulnerability existed across multiple releases until the referenced commits corrected the logic. Administrators should verify whether their running kernel contains the patches referenced by the commit IDs 40a25d59e85b3c8709ac2424d44f65610467871e and 1a1fb985f2e2.

Risk and Exploitability

This is a medium‑severity local denial‑of‑service vulnerability with a CVSS score of 5.5. A kernel crash can be triggered by a null‑pointer dereference in the rtmutex subsystem. Exploitation requires local kernel access through a futex operation such as FUTEX_CMP_REQUEUE_PI; an attacker must be able to influence or control futex usage from a user or privileged process. The EPSS score is < 1 % and the vulnerability is not listed in the CISA KEV catalog, indicating that widespread exploitation has not yet been observed. Nonetheless, the severity and potential availability impact warrant prompt mitigation.

Generated by OpenCVE AI on June 26, 2026 at 13:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the host to a Linux kernel version that incorporates the commit fixing the rtmutex logic.
  • If an upgrade cannot be applied immediately, isolate or restrict any process capable of invoking FUTEX_CMP_REQUEUE_PI by applying SELinux or AppArmor policies to prevent untrusted code from triggering the kernel panic.
  • Continuously monitor kernel logs for panic events related to rtmutex and configure automated failover or reboot procedures to maintain system availability after a crash.

Generated by OpenCVE AI on June 26, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6381-1 linux security update
History

Sat, 04 Jul 2026 12:15:00 +0000


Fri, 26 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: locking/rtmutex: Skip remove_waiter() when waiter is not enqueued syzbot triggered the following splat in remove_waiter() via FUTEX_CMP_REQUEUE_PI: KASAN: null-ptr-deref in range [0x0000000000000a88-0x0000000000000a8f] class_raw_spinlock_constructor remove_waiter+0x159/0x1200 kernel/locking/rtmutex.c:1561 rt_mutex_start_proxy_lock+0x103/0x120 futex_requeue+0x10e4/0x20d0 __x64_sys_futex+0x34f/0x4d0 task_blocks_on_rt_mutex() does not arm the waiter upon deadlock detection, leaving waiter->task nil, where 3bfdc63936dd ("rtmutex: Use waiter::task instead of current in remove_waiter()") made this fatal. Furthermore, rt_mutex_start_proxy_lock() should not be calling into remove_waiter() upon a successfully grabbing the rtmutex. 1a1fb985f2e2 ("futex: Handle early deadlock return correctly"), moved the remove_waiter() out of __rt_mutex_start_proxy_lock() (where 'ret' was only ever 0 or < 0) into the wrapper. Tighten this check to account for try_to_take_rt_mutex().
Title locking/rtmutex: Skip remove_waiter() when waiter is not enqueued
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-07-04T11:50:59.024Z

Reserved: 2026-06-09T07:44:35.388Z

Link: CVE-2026-53163

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53163 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T13:30:16Z

Weaknesses