Description
In the Linux kernel, the following vulnerability has been resolved:

dm cache policy smq: check allocation under invalidate lock

commit 2d1f7b65f5de ("dm cache policy smq: fix missing locks in
invalidating cache blocks") added mq->lock around the destructive part of
smq_invalidate_mapping(), but left the e->allocated check outside the
critical section.

That leaves a check-then-act race. Two concurrent invalidators can both
observe e->allocated as true before either of them takes mq->lock. The
first invalidator that acquires the lock removes the entry from the
queues and hash table and then calls free_entry(), which clears
e->allocated and puts the entry back on the free list. The second
invalidator can then acquire mq->lock and continue with the stale result
of the unlocked check.

This can corrupt the SMQ queues or hash table by deleting an entry that
is no longer on those structures. It can also hit the allocation check in
free_entry() when the same entry is freed again.

Move the allocation check under mq->lock so the predicate and the
destructive operations are serialized by the same lock.
Published: 2026-06-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition exists in the Device Mapper cache policy in the Linux kernel, where an allocation check for a cache entry is performed outside the mutex that protects the deletion of that entry. If two invalidators run concurrently, they can both observe the entry as allocated, proceed to delete it, and free it again. This can corrupt the SMQ queues or hash tables, and may trigger use‑after‑free errors. The resulting kernel memory corruption can cause system crashes, kernel panics, or potentially allow an attacker to hijack privileged execution paths, thereby compromising confidentiality, integrity, or availability of the system.

Affected Systems

All Linux kernel releases that implement the Device Mapper cache with the SMQ queue are affected. The vulnerability affects any kernel that does not contain commit 2d1f7b65f5de or later. As the affected component is part of the core kernel, the impact spans all architectures that include the Device Mapper cache.

Risk and Exploitability

With a CVSS score of 7.8 and an EPSS of less than 1%, the vulnerability is considered high severity but the probability of exploitation remains low. The race condition requires two concurrent cache invalidations which could be triggered by multi‑threaded workloads or by administrative access to device‑mapper mappings. Because it is a local kernel race, an attacker must have local access or be able to run privileged code that exercises the Device Mapper cache. The vulnerability is not listed in the CISA KEV catalog, indicating no confirmed public exploits as of the latest data.

Generated by OpenCVE AI on June 28, 2026 at 13:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that includes commit 2d1f7b65f5de or newer.
  • If an upgrade is not possible, recompile the kernel sources with the patch applied manually.
  • If a patch cannot be applied immediately, disable the Device Mapper cache or reduce concurrent cache operations to mitigate the race.
  • Monitor kernel logs and system stability for crash events such as "oops" or bad page faults that may indicate residual corruption.

Generated by OpenCVE AI on June 28, 2026 at 13:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 00:45:00 +0000


Sun, 28 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-37

Sun, 28 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Thu, 25 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: dm cache policy smq: check allocation under invalidate lock commit 2d1f7b65f5de ("dm cache policy smq: fix missing locks in invalidating cache blocks") added mq->lock around the destructive part of smq_invalidate_mapping(), but left the e->allocated check outside the critical section. That leaves a check-then-act race. Two concurrent invalidators can both observe e->allocated as true before either of them takes mq->lock. The first invalidator that acquires the lock removes the entry from the queues and hash table and then calls free_entry(), which clears e->allocated and puts the entry back on the free list. The second invalidator can then acquire mq->lock and continue with the stale result of the unlocked check. This can corrupt the SMQ queues or hash table by deleting an entry that is no longer on those structures. It can also hit the allocation check in free_entry() when the same entry is freed again. Move the allocation check under mq->lock so the predicate and the destructive operations are serialized by the same lock.
Title dm cache policy smq: check allocation under invalidate lock
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:41:08.232Z

Reserved: 2026-06-09T07:44:35.395Z

Link: CVE-2026-53265

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53265 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T13:30:06Z

Weaknesses
  • CWE-37

    Path Traversal: '/absolute/pathname/here'