Description
In the Linux kernel, the following vulnerability has been resolved:

dm cache policy smq: check allocation under invalidate lock

commit 2d1f7b65f5de ("dm cache policy smq: fix missing locks in
invalidating cache blocks") added mq->lock around the destructive part of
smq_invalidate_mapping(), but left the e->allocated check outside the
critical section.

That leaves a check-then-act race. Two concurrent invalidators can both
observe e->allocated as true before either of them takes mq->lock. The
first invalidator that acquires the lock removes the entry from the
queues and hash table and then calls free_entry(), which clears
e->allocated and puts the entry back on the free list. The second
invalidator can then acquire mq->lock and continue with the stale result
of the unlocked check.

This can corrupt the SMQ queues or hash table by deleting an entry that
is no longer on those structures. It can also hit the allocation check in
free_entry() when the same entry is freed again.

Move the allocation check under mq->lock so the predicate and the
destructive operations are serialized by the same lock.
Published: 2026-06-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition exists in the Device Mapper cache policy in the Linux kernel, where an allocation check for a cache entry is performed outside the mutex that protects the deletion of that entry. If two invalidators run concurrently, they can both observe the entry as allocated, proceed to delete it, and free it again. This can corrupt the SMQ queues or hash tables, and may trigger use‑after‑free errors. The resulting kernel memory corruption can cause system crashes, kernel panics, or potentially allow an attacker to hijack privileged execution paths, thereby compromising confidentiality, integrity, or availability of the system.

Affected Systems

All Linux kernel releases that implement the Device Mapper cache with the SMQ queue are affected. The vulnerability affects any kernel that does not contain commit 2d1f7b65f5de or later. As the affected component is part of the core kernel, the impact spans all architectures that include the Device Mapper cache.

Risk and Exploitability

No CVSS score is available, and the EPSS score is not reported, so the quantified likelihood of exploitation remains uncertain. The vulnerability requires two concurrent cache invalidations, which could be induced by multi‑threaded workloads or by users who control the device‑mapper mappings. Because it is a local kernel race, an exploit would need local access or the ability to run privileged processes that exercise the cache. The vulnerability is not listed in CISA’s KEV catalog, indicating no confirmed public exploits as of the input data.

Generated by OpenCVE AI on June 25, 2026 at 12:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that includes commit 2d1f7b65f5de or newer.
  • If an upgrade is not possible, recompile the kernel sources with the patch applied manually.
  • If a patch cannot be applied immediately, disable the Device Mapper cache or reduce concurrent cache operations to mitigate the race.
  • Monitor kernel logs and system stability for crash events such as "oops" or bad page faults that may indicate residual corruption.

Generated by OpenCVE AI on June 25, 2026 at 12:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: dm cache policy smq: check allocation under invalidate lock commit 2d1f7b65f5de ("dm cache policy smq: fix missing locks in invalidating cache blocks") added mq->lock around the destructive part of smq_invalidate_mapping(), but left the e->allocated check outside the critical section. That leaves a check-then-act race. Two concurrent invalidators can both observe e->allocated as true before either of them takes mq->lock. The first invalidator that acquires the lock removes the entry from the queues and hash table and then calls free_entry(), which clears e->allocated and puts the entry back on the free list. The second invalidator can then acquire mq->lock and continue with the stale result of the unlocked check. This can corrupt the SMQ queues or hash table by deleting an entry that is no longer on those structures. It can also hit the allocation check in free_entry() when the same entry is freed again. Move the allocation check under mq->lock so the predicate and the destructive operations are serialized by the same lock.
Title dm cache policy smq: check allocation under invalidate lock
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:52.543Z

Reserved: 2026-06-09T07:44:35.395Z

Link: CVE-2026-53265

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T12:15:03Z

Weaknesses
  • CWE-362

    Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

  • CWE-416

    Use After Free