Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-53331— slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock

AI Predicted 3.3 Difficulty: Hard EPSS 0.17% · P7

Affected Version Matrix 16

VendorProductVersion RangeStatus
LinuxLinuxa899d324863a3d15ce0eea513884e1b73a758c58< 3d1561537237c6cc1db76155183d8bbdac2339f0affected
a899d324863a3d15ce0eea513884e1b73a758c58< dc4d5c57e012c2c669793deb1515a57bbc6bf5ddaffected
a899d324863a3d15ce0eea513884e1b73a758c58< d54a221b0f3cd9e1f03f18104be34e02a8258faeaffected
a899d324863a3d15ce0eea513884e1b73a758c58< aad4337a21b9ad3ae8d668fa8678d05e26ecbaa8affected
a899d324863a3d15ce0eea513884e1b73a758c58< 9f0d45d509b434c54da10e01f4ef8086e4583401affected
a899d324863a3d15ce0eea513884e1b73a758c58< 9708eb50fd7343145b422be852f890212155d845affected
a899d324863a3d15ce0eea513884e1b73a758c58< 55f2ea9ff83cc27a85526b14bc9b32f96a08d6ecaffected
5.11affected
… +8 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-53331

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock During the SSR/PDR down notification the tx_lock is taken with the intent to provide synchronization with active DMA transfers. But during this period qcom_slim_ngd_down() is invoked, which ends up in slim_report_absent(), which takes the slim_controller lock. In multiple other codepaths these two locks are taken in the opposite order (i.e. slim_controller then tx_lock). The result is a lockdep splat, and a possible deadlock: rprocctl/449 is trying to acquire lock: ffff00009793e620 (&ctrl->lock){+.+.}-{4:4}, at: slim_report_absent (drivers/slimbus/core.c:322) slimbus but task is already holding lock: ffff00009793fb50 (&ctrl->tx_lock){+.+.}-{4:4}, at: qcom_slim_ngd_ssr_pdr_notify (drivers/slimbus/qcom-ngd-ctrl.c:1475) slim_qcom_ngd_ctrl which lock already depends on the new lock. Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&ctrl->tx_lock); lock(&ctrl->lock); lock(&ctrl->tx_lock); lock(&ctrl->lock); The assumption is that the comment refers to the desire to not call qcom_slim_ngd_exit_dma() while we have an ongoing DMA TX transaction. But any such transaction is initiated and completed within a single qcom_slim_ngd_xfer_msg(). Prior to calling qcom_slim_ngd_exit_dma() the slim_controller is torn down, all child devices are notified that the slimbus is gone and the child devices are removed. Stop taking the tx_lock in qcom_slim_ngd_ssr_pdr_notify() to avoid the deadlock.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会开源的一款操作系统内核。 Linux kernel存在安全漏洞,该漏洞源于qcom-ngd-ctrl中tx_lock和ctrl->lock的获取顺序不一致,可能导致死锁。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux a899d324863a3d15ce0eea513884e1b73a758c58 ~ 3d1561537237c6cc1db76155183d8bbdac2339f0 -
LinuxLinux 5.11 -

II. Public POCs for CVE-2026-53331

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-53331

登录查看更多情报信息。

Patches & Fixes for CVE-2026-53331 (7)

Same Patch Batch · Linux · 2026-07-01 · 31 CVEs total

CVE-2026-53342arm64: mm: call pagetable dtor when freeing hot-removed page tables
CVE-2026-53326debugobjects: Don't call fill_pool() in early boot hardirq context
CVE-2026-53327debugobjects: Do not fill_pool() if pi_blocked_on
CVE-2026-53328sched_ext: Don't warn on NULL cgrp_moving_from in scx_cgroup_move_task()
CVE-2026-53329drm/amd/display: Use krealloc_array() in dal_vector_reserve()
CVE-2026-53330drm/amd/display: Fix out-of-bounds read in dp_get_eq_aux_rd_interval()
CVE-2026-53332slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd
CVE-2026-53334mm/damon/reclaim: handle ctx allocation failure
CVE-2026-53333mm/mincore: handle non-swap entries before !CONFIG_SWAP guard
CVE-2026-53335mm/damon/lru_sort: handle ctx allocation failure
CVE-2026-53336nvmem: layouts: onie-tlv: fix hang on unknown types
CVE-2026-53337net: bonding: fix NULL pointer dereference in bond_do_ioctl()
CVE-2026-53338net: airoha: Add NULL check for of_reserved_mem_lookup() in airoha_qdma_init_hfwd_queues()
CVE-2026-53340i2c: imx: fix clock and pinctrl state inconsistency in runtime PM
CVE-2026-53339i2c: qcom-cci: Fix NULL pointer dereference in cci_remove()
CVE-2026-53356drm/i915/gem: Fix phys BO pread/pwrite with offset
CVE-2026-53341fhandle: fix UAF due to unlocked ->mnt_ns read in may_decode_fh()
CVE-2026-53343ARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow
CVE-2026-53344pinctrl: mcp23s08: Initialize mcp->dev and mcp->addr before regmap init
CVE-2026-53345KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying

Showing top 20 of 31 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

V. Comments for CVE-2026-53331

No comments yet


Leave a comment