CVE-2026-53336 Overview
CVE-2026-53336 is a denial-of-service vulnerability in the Linux kernel's nvmem subsystem, specifically within the ONIE-TLV (Open Network Install Environment - Type-Length-Value) layout parser. The driver enters an infinite loop when it encounters an unknown TLV entry type in an EEPROM, such as a vendor-specific entry of type 0x41. The parser fails to advance its offset on unrecognized types, causing the loop to never terminate. The issue was resolved by ensuring the offset is always incremented, allowing the loop to progress past unknown entries.
Critical Impact
A malformed or vendor-specific EEPROM entry can cause the kernel driver to hang indefinitely during layout parsing, resulting in a denial-of-service condition on affected systems.
Affected Products
- Linux kernel versions containing the onie-tlv nvmem layout driver
- Systems using EEPROMs parsed by the nvmem ONIE-TLV layout
- Network and embedded devices adhering to the ONIE specification
Discovery Timeline
- 2026-07-01 - CVE-2026-53336 published to NVD
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2026-53336
Vulnerability Analysis
The defect resides in the Linux kernel nvmem layout driver onie-tlv, which parses EEPROM contents structured as ONIE Type-Length-Value records. The driver iterates over TLV entries and dispatches parsing based on the type byte. When the type does not match any recognized identifier, the original implementation neither consumed the entry nor advanced the parsing offset. The loop condition therefore remains true indefinitely, and the kernel spins on the same offset without making forward progress.
The committed fix modifies the parsing loop to increment the offset by the entry's declared length even when the type is unknown. This guarantees loop termination once the parser reaches the end of the EEPROM data. Multiple stable kernel branches received the backport, tracked through commits 033d498, 4a4d21f, 4f27eb0, ea41020, and fd47ede.
Root Cause
The root cause is missing offset advancement in the default handler path of the ONIE-TLV parser. The parser only updated the offset within specific type handlers, leaving unrecognized types in a stuck state. This is a control-flow defect that produces an infinite loop, mapping to the general class of resource-exhaustion and denial-of-service issues in kernel input parsing.
Attack Vector
Exploitation requires an EEPROM whose contents include a TLV entry with a type code outside the driver's recognized set, for example 0x41. On boot or on driver probe, the kernel invokes the layout parser and enters the non-terminating loop. The vulnerable code path is triggered locally by hardware-supplied data. Remote exploitation is not applicable, but any workflow that swaps, flashes, or provisions EEPROM contents can introduce the trigger condition.
No verified public exploit code is available. See the referenced kernel commits for the exact patch diff and parser logic.
Detection Methods for CVE-2026-53336
Indicators of Compromise
- Kernel task hangs or soft-lockup messages referencing the nvmem or onie-tlv code paths during boot or module load
- A CPU core pinned at 100% utilization inside kernel space with no forward progress in NVMEM initialization
- Boot sequences that stall after nvmem layout registration and never reach userspace
Detection Strategies
- Review dmesg and serial console output for stalls immediately following nvmem or ONIE-TLV probe messages
- Compare running kernel versions against the fixed stable branches referenced in commits 033d498, 4a4d21f, 4f27eb0, ea41020, and fd47ede
- Audit EEPROM contents on affected hardware for TLV entries with types outside the driver's supported set
Monitoring Recommendations
- Alert on kernel soft-lockup and RCU stall detector messages across managed Linux fleets
- Track kernel package versions in configuration management to confirm the fix is deployed
- Monitor device boot success rates and time-to-userspace on network hardware that relies on ONIE
How to Mitigate CVE-2026-53336
Immediate Actions Required
- Update to a Linux kernel version that includes one of the referenced stable commits fixing the ONIE-TLV parser
- Inventory systems that use the nvmem_layout_onie_tlv driver and prioritize patching those with vendor-specific EEPROM contents
- Validate EEPROM contents on affected hardware before deploying kernels lacking the fix
Patch Information
The fix is committed to the mainline Linux kernel and backported across stable branches. Refer to the following kernel commits for details: Kernel Commit 033d498, Kernel Commit 4a4d21f, Kernel Commit 4f27eb0, Kernel Commit ea41020, and Kernel Commit fd47ede.
Workarounds
- Unload or disable the nvmem_layout_onie_tlv module on systems where ONIE-TLV parsing is not required
- Reflash EEPROMs to remove TLV entries containing unrecognized type codes prior to boot on unpatched kernels
- Restrict physical and administrative access to hardware programming interfaces to prevent introduction of malformed EEPROM data
# Verify whether the onie-tlv nvmem layout module is loaded
lsmod | grep nvmem_layout_onie_tlv
# Prevent the module from loading on unpatched systems
echo "blacklist nvmem_layout_onie_tlv" | sudo tee /etc/modprobe.d/blacklist-onie-tlv.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

