Description
In the Linux kernel, the following vulnerability has been resolved:

iomap: avoid potential null folio->mapping deref during error reporting

When a buffered read fails, iomap_finish_folio_read() reports the error
with fserror_report_io(folio->mapping->host, ...). This is called after
ifs->read_bytes_pending has been decremented by the bytes attempted to
be read.

For a folio split across multiple read completions, the folio is only
guaranteed to stay locked while read_bytes_pending > 0. Once
iomap_finish_folio_read() decrements read_bytes_pending, another
in-flight read can complete and end the read on the folio, which unlocks
it. This allows truncate logic to run and detach the folio (set
folio->mapping to NULL). The error reporting path then can dereference a
NULL folio->mapping. As reported by Sam Sun, this is the race that can
occur:

CPU0: failed completion CPU1: final completion CPU2: truncate
----------------------- ---------------------- --------------
read_bytes_pending -= len
finished = false
/* preempted before
fserror_report_io() */
read_bytes_pending -= len
finished = true
folio_end_read()
truncate clears
folio->mapping
fserror_report_io(
folio->mapping->host, ...)
^ NULL deref

Fix this by reporting the error first before decrementing
ifs->read_bytes_pending.
Published: 2026-06-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a race condition in the Linux kernel’s iomap subsystem that can cause a null pointer dereference during error reporting when a buffered read fails. It occurs because the error is reported after the read‑bytes counter is decremented, allowing a concurrent truncate operation to clear the folio’s mapping while the error reporting is still pending. If the mapping is cleared, the error‑reporting function dereferences a NULL pointer, which is a classic pointer dereference flaw (CWE-476). The dereference may trigger a kernel panic, resulting in loss of system availability.

Affected Systems

The flaw affects all installations of the Linux kernel that have not incorporated the commit that reports the error before decrementing the read_bytes_pending counter. This includes unpatched kernels shipped by major Linux distributions and older kernel versions that may still be in use.

Risk and Exploitability

The EPSS score is < 1% and the vulnerability is not listed in CISA's KEV catalog. The CVSS score of 7.5 indicates high severity, meaning the risk is moderate to high because a successful exploitation would cause a kernel crash and denial of service. The most probable attack vector is a race condition that requires concurrent read and truncate operations on the same storage device. The description indicates that this race can be possible, so the ability to trigger it from userspace is inferred; it likely requires elevated privileges or privileged access to the relevant storage subsystem.

Generated by OpenCVE AI on June 28, 2026 at 14:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy a kernel version that includes the iomap error‑reporting fix (commit that reports errors before decrementing read_bytes_pending).
  • If an immediate kernel upgrade is not possible, apply a local patch or backport the corrected code into your kernel before rebooting.
  • Limit or monitor simultaneous read and truncate operations on devices affected by this race condition, and consider disabling truncate for critical files during high‑concurrency workloads or adjusting iomap settings to reduce concurrency hazards.

Generated by OpenCVE AI on June 28, 2026 at 14:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Fri, 26 Jun 2026 12:15:00 +0000


Thu, 25 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: iomap: avoid potential null folio->mapping deref during error reporting When a buffered read fails, iomap_finish_folio_read() reports the error with fserror_report_io(folio->mapping->host, ...). This is called after ifs->read_bytes_pending has been decremented by the bytes attempted to be read. For a folio split across multiple read completions, the folio is only guaranteed to stay locked while read_bytes_pending > 0. Once iomap_finish_folio_read() decrements read_bytes_pending, another in-flight read can complete and end the read on the folio, which unlocks it. This allows truncate logic to run and detach the folio (set folio->mapping to NULL). The error reporting path then can dereference a NULL folio->mapping. As reported by Sam Sun, this is the race that can occur: CPU0: failed completion CPU1: final completion CPU2: truncate ----------------------- ---------------------- -------------- read_bytes_pending -= len finished = false /* preempted before fserror_report_io() */ read_bytes_pending -= len finished = true folio_end_read() truncate clears folio->mapping fserror_report_io( folio->mapping->host, ...) ^ NULL deref Fix this by reporting the error first before decrementing ifs->read_bytes_pending.
Title iomap: avoid potential null folio->mapping deref during error reporting
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:39:40.470Z

Reserved: 2026-06-09T07:44:35.389Z

Link: CVE-2026-53165

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53165 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:30:07Z

Weaknesses