CVE-2026-53306 Overview
CVE-2026-53306 is an off-by-one vulnerability in the Linux kernel's hvc_iucv tty driver, which provides IBM z/VM Inter-User Communication Vehicle (IUCV) hypervisor console support on s390 architectures. The flaw resides in bounds-checking logic that governs access to the hvc_iucv_table[] array of hvc_iucv_private structures. When hvc_iucv_devices reaches the maximum supported value of 8, an inconsistent comparison (num > hvc_iucv_devices) allows access to hvc_iucv_table[8], one element past the end of the fixed-size array. The kernel maintainers resolved the issue through a series of stable-tree commits.
Critical Impact
An off-by-one out-of-bounds array access in the s390 hvc_iucv driver can lead to kernel memory corruption or denial of service on affected Linux kernel builds.
Affected Products
- Linux kernel builds compiled with the hvc_iucv tty driver (IBM s390/z Systems)
- Distributions shipping vulnerable stable kernel branches referenced in the upstream fix commits
- Systems running as z/VM guests using IUCV hypervisor console lines
Discovery Timeline
- 2026-06-26 - CVE-2026-53306 published to NVD
- 2026-06-30 - Last updated in NVD database
Technical Details for CVE-2026-53306
Vulnerability Analysis
The hvc_iucv driver defines a fixed-size static array to track console line private state:
static struct hvc_iucv_private *hvc_iucv_table[MAX_HVC_IUCV_LINES];
Both MAX_HVC_IUCV_LINES and HVC_ALLOC_TTY_ADAPTERS equal 8, so valid indices are 0 through 7. The runtime counter hvc_iucv_devices can legitimately hold values from 0 to 8. The driver contains three separate bounds checks against this counter, and they disagree with each other. Loops iterate using for (i = 0; i < hvc_iucv_devices; i++), which is correct. However, an error-detection path uses if (num > hvc_iucv_devices), which permits num == hvc_iucv_devices. When hvc_iucv_devices == 8, this allows num == 8 to pass validation and index hvc_iucv_table[8], reading past the end of the array.
Root Cause
The root cause is inconsistent boundary semantics between a counter representing element count and an index used to reference array slots. The strict-greater-than comparison should have been greater-than-or-equal-to when the counter reaches the compile-time maximum. This is a classic off-by-one [CWE-193] leading to an out-of-bounds read [CWE-125] within kernel address space.
Attack Vector
Exploitation requires the system to have provisioned the maximum of 8 IUCV console devices and to trigger a code path that reaches the flawed comparison. The read returns whatever adjacent kernel memory follows hvc_iucv_table[], which may be dereferenced as a struct hvc_iucv_private * pointer. This can produce kernel information disclosure, invalid pointer dereference, or a kernel oops resulting in denial of service. The published data does not indicate remote or unprivileged exploitation, and no proof-of-concept is publicly available.
No verified proof-of-concept code has been released. Refer to the upstream fix commits for the exact source-level correction, including the primary kernel commit.
Detection Methods for CVE-2026-53306
Indicators of Compromise
- Unexpected kernel oops or panic messages referencing hvc_iucv symbols in dmesg or /var/log/messages
- Kernel address sanitizer (KASAN) reports flagging out-of-bounds reads in hvc_iucv_table
- Console instability on z/VM guests configured with 8 IUCV hypervisor console lines
Detection Strategies
- Inventory Linux kernel versions across s390/z Systems fleets and compare against the fixed versions in the upstream stable commits
- Enable KASAN on test kernels to catch out-of-bounds accesses in the hvc_iucv code path
- Audit z/VM guest configurations for the hvc_iucv= boot parameter set to 8
Monitoring Recommendations
- Forward kernel ring buffer and syslog events to a centralized log platform and alert on hvc_iucv fault signatures
- Track kernel package versions through configuration management to confirm patched builds are deployed
- Monitor system uptime anomalies and unexpected reboots on IBM Z hosts that may indicate kernel crashes
How to Mitigate CVE-2026-53306
Immediate Actions Required
- Apply the vendor-supplied kernel update that incorporates the upstream fix from the Linux stable tree
- Reduce hvc_iucv= to a value below 8 on affected z/VM guests until patched kernels are deployed
- Restrict local access to affected s390 systems to trusted administrators while remediation is in progress
Patch Information
The fix has been merged across multiple Linux stable branches. Relevant upstream commits include 11207e42a332, 3104a3f40feb, 3d3b89e6ab93, 484357dff256, a76511bc6548, f1dc8e72de9a, f2a880e802ad, and fed8b8f33a46. Consult your Linux distribution's security advisories for the specific package versions that include these commits.
Workarounds
- Configure fewer than 8 IUCV console devices via the hvc_iucv= kernel command-line parameter
- Rebuild the kernel without CONFIG_HVC_IUCV where IUCV console functionality is not required
- Limit administrative access on IBM Z hosts to reduce the local attack surface until patches are applied
# Example: reduce configured IUCV console lines on z/VM guests
# Edit the kernel boot parameters (e.g. /etc/zipl.conf) and lower the value:
parameters = "... hvc_iucv=4 ..."
# Rebuild the boot record and reboot to apply
zipl -V
systemctl reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

