CVE-2026-53085 Linux CVE debrief

Who should care

Linux kernel developers, Linux distribution maintainers, and organizations using Linux-based systems should be aware of this vulnerability. This vulnerability can be exploited by attackers to gain elevated privileges and execute arbitrary code. Linux kernel developers and maintainers should review and apply the provided patches to prevent exploitation.

Technical summary

The vulnerability exists in the open-coded task_vma iterator in the Linux kernel. The iterator reads task->mm locklessly and acquires mmap_read_trylock() but never calls mmget(). If the task exits concurrently, the mm_struct can be freed as it is not SLAB_TYPESAFE_BY_RCU, resulting in a use-after-free. To fix this vulnerability, safely read task->mm with a trylock on alloc_lock and acquire an mm reference. Drop the reference via bpf_iter_mmput_async() in _destroy() and error paths. Reject irqs-disabled contexts (including NMI) up front and use a trylock on alloc_lock instead of the blocking task_lock() to prevent deadlocks.

Defensive priority

High priority should be given to patching this vulnerability, as it can be exploited by attackers to gain elevated privileges and execute arbitrary code. Linux kernel developers and maintainers should review and apply the provided patches as soon as possible.

Recommended defensive actions

• Review and apply the provided patches to the Linux kernel.
• Use a trylock on alloc_lock to safely read task->mm and acquire an mm reference.
• Reject irqs-disabled contexts (including NMI) up front to prevent deadlocks.
• Use bpf_iter_mmput_async() to drop the mm reference in _destroy() and error paths.
• Monitor Linux kernel updates and apply patches promptly.

Evidence notes

The vulnerability was resolved by fixing the mm lifecycle in the open-coded task_vma iterator. The fix involves safely reading task->mm with a trylock on alloc_lock and acquiring an mm reference. The provided patches should be reviewed and applied to prevent exploitation.

Official resources