CVE-2026-53243 Overview
CVE-2026-53243 is a Linux kernel vulnerability in the restartable sequences (rseq) subsystem. The flaw resides in rseq_exit_user_update(), where an uninitialized stack variable is used during structure initialization. Syzbot identified the issue using the Kernel Memory Sanitizer (KMSAN), which reported a kernel info-leak in rseq_set_ids_get_csaddr at include/linux/rseq_entry.h:502. The root cause is the indeterminate evaluation order of initializer list expressions in C, which allowed the compiler to read ids.cpu_id before it was assigned. The defect can disclose uninitialized kernel stack memory to user space.
Critical Impact
The vulnerability can leak uninitialized kernel stack contents into user-accessible structures, potentially exposing sensitive kernel data used to defeat address space layout randomization (KASLR) or aid further exploitation.
Affected Products
- Linux kernel versions containing the rseq_exit_user_update() implementation in include/linux/rseq_entry.h
- Distributions shipping the affected stable kernel branches prior to the upstream fix
- Builds compiled with Clang where the initializer evaluation order triggers the uninitialized read
Discovery Timeline
- 2026-06-25 - CVE-2026-53243 published to the National Vulnerability Database
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-53243
Vulnerability Analysis
The defect is an uninitialized memory use [CWE-908] in the rseq subsystem of the Linux kernel. The rseq_exit_user_update() function constructs a struct rseq_ids using a designated initializer list. One initializer expression depends on a sibling field that has not yet been assigned. The compiler is permitted to evaluate the dependent expression first, producing a read of uninitialized stack memory.
KMSAN flagged the resulting kernel-infoleak because the unassigned bytes propagate into a structure that is subsequently copied to user space. An unprivileged local process exercising rseq can repeatedly trigger the path to harvest residual stack data.
Root Cause
The vulnerable code declares the structure as follows:
struct rseq_ids ids = {
.cpu_id = task_cpu(t),
.mm_cid = task_mm_cid(t),
.node_id = cpu_to_node(ids.cpu_id),
};
The C standard specifies that the evaluation order of expressions inside an initializer list is indeterminately sequenced. Clang, used in the KMSAN build that surfaced the bug, evaluates cpu_to_node(ids.cpu_id) before task_cpu(t) is stored into ids.cpu_id. The node_id field is therefore derived from whatever uninitialized stack byte happened to occupy that slot.
Attack Vector
A local user invokes a system call path that reaches rseq_exit_user_update(). The kernel writes the partially-initialized rseq_ids structure into a user-supplied rseq area through rseq_set_ids_get_csaddr. The attacker reads the structure back and recovers leaked kernel stack bytes. No special privileges are required and no kernel modules need to be loaded beyond stock rseq support.
Detection Methods for CVE-2026-53243
Indicators of Compromise
- KMSAN-enabled debug kernels reporting kernel-infoleak in rseq_set_ids_get_csaddr originating from include/linux/rseq_entry.h
- Unprivileged processes performing repeated rseq registration and exit cycles followed by reads of the rseq user area
- Anomalous user-space binaries probing node_id fields exported by rseq structures
Detection Strategies
- Audit running kernel build identifiers against the fixed commits 6d99479799c6 and e12d20a63b61 from the stable tree
- Enable KMSAN or KASAN in test environments to surface uninitialized reads during rseq workload replay
- Hunt for processes issuing high-frequency rseq syscalls in conjunction with reads of returned structure fields
Monitoring Recommendations
- Capture syscall telemetry for rseq() and correlate frequency against baseline user workloads
- Forward kernel ring buffer messages mentioning rseq or KMSAN to a centralized analytics platform for retention and search
- Track kernel package versions across the fleet to confirm patched builds are deployed
How to Mitigate CVE-2026-53243
Immediate Actions Required
- Apply the upstream stable patches referenced by commits 6d99479799c6 and e12d20a63b61 and rebuild affected kernels
- Deploy vendor kernel updates from your Linux distribution once they incorporate the upstream fix
- Reboot hosts after package installation so the patched kernel image is active
Patch Information
The fix moves the assignment of ids.node_id outside the structure initializer so that ids.cpu_id is fully assigned before it is read. The upstream patches are available at the kernel.org commit 6d99479799c6 and the kernel.org commit e12d20a63b61.
Workarounds
- Restrict execution of untrusted local code on multi-tenant hosts until the patched kernel is deployed
- Where feasible, disable workloads that rely on rseq until a fixed kernel is installed
- Apply seccomp policies that block the rseq syscall for processes that do not require it
# Verify the running kernel includes the rseq fix
uname -r
zgrep -i 'rseq' /proc/config.gz 2>/dev/null || grep -i 'rseq' /boot/config-$(uname -r)
# Example seccomp denial of rseq via systemd unit override
# /etc/systemd/system/myservice.service.d/override.conf
[Service]
SystemCallFilter=~rseq
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

