Description
In the Linux kernel, the following vulnerability has been resolved:

zram: fix use-after-free in zram_bvec_write_partial()

zram_read_page() picks the sync or async backing device read path based on
whether the parent bio is NULL. zram_bvec_write_partial() passes its
parent bio down, so for ZRAM_WB slots the read is dispatched
asynchronously and zram_read_page() returns 0 while the bio is still in
flight. The caller then runs memcpy_from_bvec(), zram_write_page() and
__free_page() on the buffer, leaving the async read to write into a freed
page.

zram_bvec_read_partial() was switched to NULL in commit 4e3c87b9421d
("zram: fix synchronous reads") for the same reason; the write_partial
counterpart was missed.
Published: 2026-06-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in zram_bvec_write_partial(): when an asynchronous write frees a page while a simultaneous read may still be writing into that page, a use‑after‑free occurs. This leads to can cause crashes or other kernel‑level memory corruption symptoms. The weakness is captured by CWE-364 (Race Condition).

Affected Systems

The vulnerability affects all Linux kernel installations that have not yet incorporated the fix commit 0c2821665ff71be3f4b07ecece384669f2877f6a. No specific version list is supplied; however, more recent kernel releases include this commit. Linux kernel devices that use zram for memory compression and management are subject to the flaw.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity. The EPSS score is less than 1%, and the vulnerability is not listed in CISA’s KEV catalog, making the likelihood of exploitation low under normal circumstances. The attack vector is inferred to be a local user with the ability to perform zram operations; no remote exploitation path is documented in the CVE data. Even though the risk remains theoretical without a demonstrated exploit, the impact of kernel memory corruption could lead to denial of service or potential privilege escalation if adversaries can trigger the race condition.

Generated by OpenCVE AI on June 28, 2026 at 14:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install a Linux kernel version that includes commit 0c2821665ff71be3f4b07ecece384669f2877f6a.
  • If immediate kernel upgrade is not possible, disable the zram device by unbinding or removing it from use to mitigate the race condition.
  • Restrict access to zram device nodes (e.g. /dev/zram*) to only privileged users to limit local exploitation risk.

Generated by OpenCVE AI on June 28, 2026 at 14:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Fri, 26 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-364
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important


Thu, 25 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: zram: fix use-after-free in zram_bvec_write_partial() zram_read_page() picks the sync or async backing device read path based on whether the parent bio is NULL. zram_bvec_write_partial() passes its parent bio down, so for ZRAM_WB slots the read is dispatched asynchronously and zram_read_page() returns 0 while the bio is still in flight. The caller then runs memcpy_from_bvec(), zram_write_page() and __free_page() on the buffer, leaving the async read to write into a freed page. zram_bvec_read_partial() was switched to NULL in commit 4e3c87b9421d ("zram: fix synchronous reads") for the same reason; the write_partial counterpart was missed.
Title zram: fix use-after-free in zram_bvec_write_partial()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-07-15T00:44:39.176Z

Reserved: 2026-06-09T07:44:35.390Z

Link: CVE-2026-53185

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53185 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T15:00:12Z

Weaknesses
  • CWE-364

    Signal Handler Race Condition