CVE-2026-53282 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

x86/kexec: Push kjump return address even for non-kjump kexec

The version of purgatory code shipped by kexec-tools attempts to look above
the top of its stack to find a return address for a kjump, even in a non-kjump
kexec.

After the commit in Fixes: the word above the stack might not be there,
leading to a fault (which is at least now caught by my exception-handling code
in kexec).

That commit fixed things for the actual kjump path, but no longer
"gratuitously" pushes the unused return address to the stack in the non-kjump
path. Put that *back* in the non-kjump path, to prevent purgatory from
crashing when trying to access it.

Published: 2026-06-26

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The patch corrects a flaw in the Linux kernel’s kexec purgatory code where the non‑kjump path incorrectly attempted to read a return address from above the stack. This misread causes an exception that can crash the system, representing a stack overread that leads to denial of service. After the fix, the offending push has been reinstated only when needed, preventing the purgatory code from crashing during a non‑kjump kexec.

Affected Systems

All Linux kernels that include the purgatory code shipped by kexec-tools are affected, according to the CNA entry Linux:Linux. Without version specifics, any kernel that has not incorporated the cited commit is susceptible. The impact applies to any distribution using the standard Linux kernel and kexec-tools in its default configuration.

Risk and Exploitability

No CVSS score is provided, and the EPSS score is unavailable, so the objective likelihood of exploitation cannot be computed from the data. The vulnerability is not listed in CISA’s KEV catalog, indicating no known public exploits. The flaw requires a privileged user to initiate a kexec operation; thus the primary attack vector, inferred from the description, is local privileged execution. Once the patch is applied, the crash path is eliminated, and the risk is effectively mitigated.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`2cacf7f23a024ab1fdc603ca6a4f4c8b2de9f64e`	affected	< b0bd7a850e1f082560959707dbf57b0402071646
`2cacf7f23a024ab1fdc603ca6a4f4c8b2de9f64e`	affected	< 7dba9631faa2ee0785e8c2bf0e3d90a05f26dd8c
`2cacf7f23a024ab1fdc603ca6a4f4c8b2de9f64e`	affected	< 786a45757dcdf8f2beb9d4a6db605db16c18b2b4

Linux

affected

Version	Status	Constraints
`6.14`	affected	—
`0`	unaffected	< 6.14
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest kernel update that includes the kexec fix.
Update kexec-tools to the newest release that contains the corrected purgatory logic.
If a kernel upgrade is not immediately feasible, disable kexec functionality on critical systems by setting the appropriate kernel parameter or removing the kexec utilities until the patch is deployed.

Generated by OpenCVE AI on June 26, 2026 at 21:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/786a45757dcdf8f2beb9d4a6db605db16c18b2b4
https://git.kernel.org/stable/c/7dba9631faa2ee0785e8c2bf0e3d90a05f26dd8c
https://git.kernel.org/stable/c/b0bd7a850e1f082560959707dbf57b0402071646

History

Fri, 26 Jun 2026 21:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-787 CWE-788

Fri, 26 Jun 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: x86/kexec: Push kjump return address even for non-kjump kexec The version of purgatory code shipped by kexec-tools attempts to look above the top of its stack to find a return address for a kjump, even in a non-kjump kexec. After the commit in Fixes: the word above the stack might not be there, leading to a fault (which is at least now caught by my exception-handling code in kexec). That commit fixed things for the actual kjump path, but no longer "gratuitously" pushes the unused return address to the stack in the non-kjump path. Put that back in the non-kjump path, to prevent purgatory from crashing when trying to access it.
Title		x86/kexec: Push kjump return address even for non-kjump kexec
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/786a45757dcdf8f2beb9d4a6db605db16c18b2b4 https://git.kernel.org/stable/c/7dba9631faa2ee0785e8c2bf0e3d90a05f26dd8c https://git.kernel.org/stable/c/b0bd7a850e1f082560959707dbf57b0402071646

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-26T19:40:43.754Z

Updated: 2026-06-26T19:40:43.754Z

Reserved: 2026-06-09T07:44:35.396Z

Link: CVE-2026-53282

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-26T22:00:07Z

Weaknesses

CWE-787
Out-of-bounds Write
CWE-788
Access of Memory Location After End of Buffer

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object