Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53265

CVE-2026-53265: Linux Kernel Race Condition Vulnerability

CVE-2026-53265 is a race condition vulnerability in Linux kernel's dm cache policy smq that can corrupt SMQ queues or hash tables through concurrent invalidators. This article covers technical details, impact, and mitigation.

Published:

CVE-2026-53265 Overview

CVE-2026-53265 is a race condition vulnerability in the Linux kernel's device-mapper (dm) cache policy Stochastic Multi-Queue (SMQ) component. The flaw resides in the smq_invalidate_mapping() function, where the e->allocated check executes outside the mq->lock critical section. This creates a check-then-act race that two concurrent invalidators can exploit to corrupt SMQ queues or the hash table. The kernel maintainers resolved the issue by moving the allocation check under mq->lock so the predicate and destructive operations share serialization.

Critical Impact

Concurrent invalidation operations can corrupt internal SMQ data structures or trigger a double-free condition in free_entry(), leading to kernel memory corruption or denial of service.

Affected Products

  • Linux kernel versions containing commit 2d1f7b65f5de ("dm cache policy smq: fix missing locks in invalidating cache blocks")
  • Systems using device-mapper cache with the SMQ cache policy
  • Distributions shipping unpatched kernel builds prior to the fix commits referenced in the kernel.org stable tree

Discovery Timeline

  • 2026-06-25 - CVE-2026-53265 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-53265

Vulnerability Analysis

The vulnerability is a classic Time-of-Check to Time-of-Use (TOCTOU) race condition in the device-mapper SMQ cache policy. An earlier fix, commit 2d1f7b65f5de, added mq->lock protection around the destructive section of smq_invalidate_mapping(). However, the e->allocated predicate check remained outside the critical section.

Two concurrent invalidators can both observe e->allocated as true before either acquires mq->lock. The first invalidator acquires the lock, removes the entry from the queues and hash table, then calls free_entry(). This call clears e->allocated and returns the entry to the free list. The second invalidator then acquires mq->lock and proceeds with a stale predicate result.

The consequence is corruption of SMQ queues or hash table state, because the second thread attempts to remove an entry that is no longer linked. The same entry can also reach free_entry() twice, triggering the allocation assertion or producing a double-free condition.

Root Cause

The root cause is incomplete lock coverage. The original locking fix protected only the mutation steps while leaving the predicate evaluation unsynchronized. The predicate and the destructive operations must be serialized by the same lock to maintain consistency of the cache entry state.

Attack Vector

Exploitation requires the ability to issue concurrent invalidation operations against a device-mapper cache configured with the SMQ policy. This is a local kernel-side race and requires workloads or privileged operations that drive parallel cache invalidations. The race is timing-dependent and not network-reachable.

No public proof-of-concept or in-the-wild exploitation has been reported. See the Linux Kernel Commit c242c7af and related stable-tree fix commits for the authoritative patch.

Detection Methods for CVE-2026-53265

Indicators of Compromise

  • Kernel oops or BUG() messages referencing dm-cache-policy-smq or free_entry in dmesg or /var/log/kern.log
  • Unexpected I/O errors or stalls on device-mapper cache targets using the SMQ policy
  • Kernel panics correlated with concurrent dmsetup message invalidate-cblocks operations

Detection Strategies

  • Audit kernel build metadata to identify hosts running affected kernel versions that lack the fix commits referenced on kernel.org
  • Monitor kernel log streams for warnings emitted from dm/dm-cache-policy-smq.c, particularly around entry allocation assertions
  • Correlate device-mapper administrative activity with subsequent kernel error events to surface race-condition symptoms

Monitoring Recommendations

  • Ingest dmesg and /var/log/kern.log into a centralized log pipeline for kernel fault analytics
  • Alert on repeated dm-cache related stack traces across the fleet, which may indicate exploitation attempts or workload-induced triggering
  • Track kernel package versions in configuration management to verify patch deployment status

How to Mitigate CVE-2026-53265

Immediate Actions Required

  • Apply the upstream Linux kernel patches referenced in the kernel.org stable tree commits as soon as distribution updates are available
  • Inventory systems using device-mapper cache with the SMQ policy and prioritize them for patching
  • Subscribe to vendor security advisories from your Linux distribution provider for backported fixes

Patch Information

The fix moves the e->allocated check under mq->lock in smq_invalidate_mapping() so that predicate evaluation and destructive operations execute atomically. Apply the relevant stable-tree commits: Linux Kernel Commit 03ffe111, Linux Kernel Commit 13da856c, Linux Kernel Commit 42ff6774, Linux Kernel Commit b4892561, Linux Kernel Commit c242c7af, Linux Kernel Commit c57570fb, Linux Kernel Commit d3f0a606, and Linux Kernel Commit d886945f.

Workarounds

  • Where patching is delayed, consider switching the dm-cache policy from smq to an alternative policy (such as cleaner) to drain caches and reduce exposure
  • Restrict the ability to issue dmsetup administrative commands to trusted system accounts only
  • Avoid workloads that drive concurrent cache invalidation against the same dm-cache target until the kernel is patched
bash
# Verify running kernel version and check for the fix
uname -r

# Identify dm-cache targets using the smq policy
dmsetup status | grep cache

# Apply distribution kernel update (example: Debian/Ubuntu)
sudo apt update && sudo apt install --only-upgrade linux-image-$(uname -r)
sudo reboot

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.