CVE-2026-53288 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

arm64: Reserve an extra page for early kernel mapping

The final part of [data, end) segment may overflow into the next page of
init_pg_end[1] which is the gap page before early_init_stack[2]:

[1]
crash_arm64_v9.0.1> vtop ffffffed00601000
VIRTUAL PHYSICAL
ffffffed00601000 83401000

PAGE DIRECTORY: ffffffecffd62000
PGD: ffffffecffd62da0 => 10000000833fb003
PMD: ffffff80033fb018 => 10000000833fe003
PTE: ffffff80033fe008 => 68000083401f03
PAGE: 83401000

PTE PHYSICAL FLAGS
68000083401f03 83401000 (VALID|SHARED|AF|NG|PXN|UXN)

PAGE PHYSICAL MAPPING INDEX CNT FLAGS
fffffffec00d0040 83401000 0 0 1 4000 reserved

[2]
ffffffed002c8000 (r) __pi__data
ffffffed0054e000 (d) __pi___bss_start
ffffffed005f5000 (b) __pi_init_pg_dir
ffffffed005fe000 (b) __pi_init_pg_end
ffffffed005ff000 (B) early_init_stack
ffffffed00608000 (b) __pi__end

For 4K pages, the early kernel mapping may use 2MB block entries but the
kernel segments are only 64KB aligned. Segment boundaries that fall
within a 2MB block therefore require a PTE table so that different
attributes can be applied on either side of the boundary.

KERNEL_SEGMENT_COUNT still correctly counts the five permanent kernel
VMAs registered by declare_kernel_vmas(). However, since commit
5973a62efa34 ("arm64: map [_text, _stext) virtual address range
non-executable+read-only"), the early mapper also maps [_text, _stext)
separately from [_stext, _etext). This adds one more early-only split
and can require one more page-table page than the existing
EARLY_SEGMENT_EXTRA_PAGES allowance reserves.

Increase the 4K-page early mapping allowance by one page to cover that
additional split.

[catalin.marinas@arm.com: rewrote part of the commit log]
[catalin.marinas@arm.com: expanded the code comment]

Published: 2026-06-26

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The flaw originates when the final portion of a memory segment can extend beyond its allocated page and overlap the next page reserved for the early kernel stack. This misalignment allows overwriting page table entries that control memory mappings, potentially leading to a kernel crash or unpredictable system behavior. This is an out-of-bounds write (CWE-787). The description indicates a risk of system instability, which in the worst case can result in a denial of service. No explicit privilege escalation or data disclosure is reported in the provided details.

Affected Systems

The vulnerability affects Linux kernels running on ARM64 architectures. Any kernel prior to the commit that reserves an extra page for early mapping may be susceptible, regardless of the distribution or firmware version. Specific affected releases are not enumerated, so all kernels compiled with early initialization mapping before the patch should be considered at risk.

Risk and Exploitability

CVSS, EPSS, and KEV metrics are not disclosed, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that no active exploitation is documented. The description indicates the flaw involves kernel memory, implying that the attack vector is local rather than remote. Based on the information, it is inferred that the overall risk is low to moderate, primarily stemming from accidental crashes in development or testing environments rather than from a serious security breach.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`fdd380a5950503a07aaaf74536a0c2f223475eb0`	affected	< a4ff33053da0a34b14abb5c96dc5a48379e26fce
`5973a62efa34c80c9a4e5eac1fca6f6209b902af`	affected	< dcb89deed40ba55ff7020061712fdabf098cc2cc
`5973a62efa34c80c9a4e5eac1fca6f6209b902af`	affected	< 9fe9e3acaa14921b0cf0d6cc2de5b562499bf721
`5973a62efa34c80c9a4e5eac1fca6f6209b902af`	affected	< 4d8e74ad4585672489da6145b3328d415f50db82
`88025faf2aa08c7468d68d8cb31a53b55aae6ee0`	affected	—
`6.12.54`	affected	< 6.12.91
`6.17.4`	affected	< 6.18

Linux

affected

Version	Status	Constraints
`6.18`	affected	—
`0`	unaffected	< 6.18
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that includes the patch commit for ARM64 early mapping.
Schedule the kernel upgrade during a maintenance window to avoid disrupting production services.
After applying the patch, verify system stability by inspecting kernel logs for any early mapping related page fault incidents.

Generated by OpenCVE AI on June 26, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/4d8e74ad4585672489da6145b3328d415f50db82
https://git.kernel.org/stable/c/9fe9e3acaa14921b0cf0d6cc2de5b562499bf721
https://git.kernel.org/stable/c/a4ff33053da0a34b14abb5c96dc5a48379e26fce
https://git.kernel.org/stable/c/dcb89deed40ba55ff7020061712fdabf098cc2cc

History

Fri, 26 Jun 2026 23:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-787

Fri, 26 Jun 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: arm64: Reserve an extra page for early kernel mapping The final part of [data, end) segment may overflow into the next page of init_pg_end[1] which is the gap page before early_init_stack[2]: [1] crash_arm64_v9.0.1> vtop ffffffed00601000 VIRTUAL PHYSICAL ffffffed00601000 83401000 PAGE DIRECTORY: ffffffecffd62000 PGD: ffffffecffd62da0 => 10000000833fb003 PMD: ffffff80033fb018 => 10000000833fe003 PTE: ffffff80033fe008 => 68000083401f03 PAGE: 83401000 PTE PHYSICAL FLAGS 68000083401f03 83401000 (VALID\|SHARED\|AF\|NG\|PXN\|UXN) PAGE PHYSICAL MAPPING INDEX CNT FLAGS fffffffec00d0040 83401000 0 0 1 4000 reserved [2] ffffffed002c8000 (r) __pi__data ffffffed0054e000 (d) __pi___bss_start ffffffed005f5000 (b) __pi_init_pg_dir ffffffed005fe000 (b) __pi_init_pg_end ffffffed005ff000 (B) early_init_stack ffffffed00608000 (b) __pi__end For 4K pages, the early kernel mapping may use 2MB block entries but the kernel segments are only 64KB aligned. Segment boundaries that fall within a 2MB block therefore require a PTE table so that different attributes can be applied on either side of the boundary. KERNEL_SEGMENT_COUNT still correctly counts the five permanent kernel VMAs registered by declare_kernel_vmas(). However, since commit 5973a62efa34 ("arm64: map [_text, _stext) virtual address range non-executable+read-only"), the early mapper also maps [_text, _stext) separately from [_stext, _etext). This adds one more early-only split and can require one more page-table page than the existing EARLY_SEGMENT_EXTRA_PAGES allowance reserves. Increase the 4K-page early mapping allowance by one page to cover that additional split. [catalin.marinas@arm.com: rewrote part of the commit log] [catalin.marinas@arm.com: expanded the code comment]
Title		arm64: Reserve an extra page for early kernel mapping
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/4d8e74ad4585672489da6145b3328d415f50db82 https://git.kernel.org/stable/c/9fe9e3acaa14921b0cf0d6cc2de5b562499bf721 https://git.kernel.org/stable/c/a4ff33053da0a34b14abb5c96dc5a48379e26fce https://git.kernel.org/stable/c/dcb89deed40ba55ff7020061712fdabf098cc2cc

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-26T19:40:48.528Z

Updated: 2026-06-26T19:40:48.528Z

Reserved: 2026-06-09T07:44:35.396Z

Link: CVE-2026-53288

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-26T23:30:05Z

Weaknesses

CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-787
Out-of-bounds Write

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object