目標達成 すべての支援者に感謝 — 100%達成しました!

目標: 1000 CNY · 調達済み: 1336 CNY

100%
コーヒーを一杯おごる

CVE-2026-53025— greybus: raw cdev关闭时存在使用后可释放漏洞

EPSS 0.16% · P6
新しい脆弱性情報の通知を購読するログインして購読

I. CVE-2026-53025の基本情報

脆弱性情報
脆弱性についてご質問がありますか?Shenlongの分析が参考になるかご確認ください!
Shenlongの10の質問を表示 ↗

高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。

脆弱性タイトル
greybus: raw: fix use-after-free on cdev close
ソース: NVD (National Vulnerability Database)
脆弱性説明
In the Linux kernel, the following vulnerability has been resolved: greybus: raw: fix use-after-free on cdev close This addresses a use-after-free bug when a raw bundle is disconnected but its chardev is still opened by an application. When the application releases the cdev, it causes the following panic when init on free is enabled (CONFIG_INIT_ON_FREE_DEFAULT_ON=y): refcount_t: underflow; use-after-free. WARNING: CPU: 0 PID: 139 at lib/refcount.c:28 refcount_warn_saturate+0xd0/0x130 ... Call Trace: <TASK> cdev_put+0x18/0x30 __fput+0x255/0x2a0 __x64_sys_close+0x3d/0x80 do_syscall_64+0xa4/0x290 entry_SYSCALL_64_after_hwframe+0x77/0x7f The cdev is contained in the "gb_raw" structure, which is freed in the disconnect operation. When the cdev is released at a later time, cdev_put gets an address that points to freed memory. To fix this use-after-free, convert the struct device from a pointer to being embedded, that makes the lifetime of the cdev and of this device the same. Then, use cdev_device_add, which guarantees that the device won't be released until all references to the cdev have been released. Finally, delegate the freeing of the structure to the device release function, instead of freeing immediately in the disconnect callback.
ソース: NVD (National Vulnerability Database)
CVSS情報
N/A
ソース: NVD (National Vulnerability Database)
脆弱性タイプ
N/A
ソース: NVD (National Vulnerability Database)

影響を受ける製品

ベンダープロダクト影響を受けるバージョンCPE購読
LinuxLinux e806c7fb8e9bae87fc23958c3789f2c2f96f54a4 ~ ef2d97c15b19b3489de01695bce478601e236c3e -
LinuxLinux 4.9 -

II. CVE-2026-53025の公開POC

#POC説明ソースリンクShenlongリンク
AI生成POCプレミアム

公開POCは見つかりませんでした。

ログインしてAI POCを生成

III. CVE-2026-53025のインテリジェンス情報

登录查看更多情报信息。

CVE-2026-53025 其他参考 (2)

Same Patch Batch · Linux · 2026-06-24 · 219 CVEs total

CVE-2026-52980sched/fair: Clear rel_deadline when initializing forked entities
CVE-2026-52993tipc: fix double-free in tipc_buf_append()
CVE-2026-52991sched/psi: fix race between file release and pressure write
CVE-2026-52990fsnotify: fix inode reference leak in fsnotify_recalc_mask()
CVE-2026-52988netfilter: nf_tables: join hook list via splice_list_rcu() in commit phase
CVE-2026-52989nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers
CVE-2026-52987drm/amdgpu: avoid double drm_exec_fini() in userq validate
CVE-2026-52986netfilter: nf_conntrack_sip: don't use simple_strtoul
CVE-2026-52985netdevsim: zero initialize struct iphdr in dummy sk_buff
CVE-2026-52984net/sched: netem: fix queue limit check to include reordered packets
CVE-2026-52982net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()
CVE-2026-52983net: airoha: fix BQL imbalance in TX path
CVE-2026-52981neigh: let neigh_xmit take skb ownership
CVE-2026-52979net: psp: check for device unregister when creating assoc
CVE-2026-52968KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic
CVE-2026-52972crypto: af_alg - Cap AEAD AD length to 0x80000000
CVE-2026-52970netfilter: nft_ct: fix missing expect put in obj eval
CVE-2026-52969KVM: Reject wrapped offset in kvm_reset_dirty_gfn()
CVE-2026-52971net: ena: PHC: Fix potential use-after-free in get_timestamp
CVE-2026-52967smb/client: fix possible infinite loop and oob read in symlink_data()

Showing 20 of 219 CVEs. View all on vendor page →

IV. 関連脆弱性

同じ製品: Linux
同じベンダー: Linux

V. CVE-2026-53025へのコメント

まだコメントはありません

コメントを残す