CVE-2026-53314 Overview
CVE-2026-53314 is a Linux kernel vulnerability in the padata parallel execution subsystem. The flaw stems from the padata_cpu_dead() callback being registered in a CPU hotplug (CPUHP) state where failure is not permitted. When the callback returns an error, the kernel emits a DEAD callback error for CPU1 warning from _cpu_down+0x759/0x1020 at kernel/cpu.c:1463. The syzbot fuzzer reported the issue against commit 4ae12d8bd9a8. Maintainers resolved the flaw by moving the CPU offline callback into the ONLINE section, where callback failure is a supported outcome.
Critical Impact
A local unprivileged user triggering CPU hotplug events can produce kernel warnings and disrupt padata teardown flows, potentially destabilizing systems that rely on parallel workqueue processing.
Affected Products
- Linux kernel versions containing the pre-fix padata CPU hotplug callback registration
- Distributions shipping kernels prior to the referenced stable commits
- Systems using padata for parallel crypto or workqueue operations
Discovery Timeline
- 2026-06-26 - CVE-2026-53314 published to NVD
- 2026-06-30 - Last updated in NVD database
Technical Details for CVE-2026-53314
Vulnerability Analysis
The padata subsystem distributes parallel work across CPUs, supporting operations such as IPsec cryptography. It registers callbacks with the CPU hotplug state machine to react to CPUs coming online or going offline. The kernel divides these callback states into sections with different failure semantics. States below CPUHP_TEARDOWN_CPU do not tolerate errors from teardown callbacks during CPU offline transitions.
The padata_cpu_dead() callback was registered in a state where failure was disallowed but could still return an error. When the callback failed during CPU offline, the kernel triggered a WARN at kernel/cpu.c:1463. This warning indicates an unexpected teardown failure that the hotplug core cannot recover from cleanly.
Root Cause
The root cause is incorrect placement of padata_cpu_dead() within the CPU hotplug state hierarchy. Callbacks below CPUHP_TEARDOWN_CPU are treated as infallible during teardown. Because padata_cpu_dead() performs allocations and other operations that can legitimately fail, its state assignment violated the hotplug contract. This is a kernel logic and configuration flaw [CWE-754: Improper Check for Unusual or Exceptional Conditions].
Attack Vector
CPU hotplug operations are typically privileged, but syzbot demonstrated reachability through fuzzing of the CPU online/offline interfaces. A local actor with the ability to trigger CPU hotplug transitions can force the failing callback path. The result is kernel log noise and a stalled or inconsistent teardown of padata resources. The vulnerability does not provide code execution or memory corruption primitives.
The fix relocates the CPU offline callback registration into the ONLINE section, where the hotplug state machine accepts callback failures and rolls back the transition without warning. See the Kernel Git Commit c8c4a29 and related stable backports for the exact code change.
Detection Methods for CVE-2026-53314
Indicators of Compromise
- Kernel log entries containing DEAD callback error for CPU followed by a CPU number
- WARNING: kernel/cpu.c:1463 stack traces referencing _cpu_down in dmesg or journalctl -k
- Repeated CPU offline failures on systems running padata-dependent workloads such as IPsec
Detection Strategies
- Monitor kernel ring buffer for WARN events originating from _cpu_down and padata_cpu_dead
- Correlate CPU hotplug syscalls or writes to /sys/devices/system/cpu/cpu*/online with subsequent kernel warnings
- Track kernel version and patch level across the fleet against the fixed stable commits
Monitoring Recommendations
- Forward dmesg and /var/log/kern.log to a centralized log platform for kernel WARN alerting
- Alert on padata subsystem errors and unexpected CPU state transitions on production hosts
- Baseline normal CPU hotplug activity so anomalous local triggers stand out
How to Mitigate CVE-2026-53314
Immediate Actions Required
- Apply the upstream stable kernel patches referenced in the NVD advisory to all affected hosts
- Restrict access to CPU hotplug controls under /sys/devices/system/cpu/ to root-only where feasible
- Audit kernel logs for prior occurrences of the DEAD callback error warning to identify affected systems
Patch Information
The fix moves the padata CPU offline callback into the ONLINE hotplug section. Patched commits are available in the stable trees: Kernel Git Commit 3e6c08d, Kernel Git Commit 5a9f29a, Kernel Git Commit 65dae8b, Kernel Git Commit 9afe53f, Kernel Git Commit a6d44f4, and Kernel Git Commit c8c4a29. Consume these via distribution kernel updates rather than manual backport where possible.
Workarounds
- Avoid programmatic CPU offline operations on unpatched kernels that use padata-backed workloads
- Limit exposure of unprivileged fuzzing or containerized workloads that can invoke CPU hotplug
- Disable padata-dependent features only if operationally acceptable, since this is not a supported long-term mitigation
# Restrict CPU hotplug sysfs access to root while patches are staged
find /sys/devices/system/cpu -maxdepth 2 -name online -exec chmod 600 {} \;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

