Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53346

CVE-2026-53346: Linux Kernel ARM64 DoS Vulnerability

CVE-2026-53346 is a denial of service flaw in the Linux kernel ARM64 architecture affecting Rust compilation with unwind tables. This causes boot failures when CONFIG_UNWIND_PATCH_PAC_INTO_SCS is enabled. This post explains its impact, affected versions, and mitigation steps.

Published:

CVE-2026-53346 Overview

CVE-2026-53346 affects the Linux kernel's Rust support on arm64 systems. The issue involves the interaction between the Rust compiler (rustc), unwind tables, and the kernel's Shadow Call Stack (SCS) patching logic. When CONFIG_UNWIND_PATCH_PAC_INTO_SCS is enabled, kernels built with Rust support fail to boot due to incorrect DWARF information generated for compiler-emitted constructors such as asan.module_ctor.

The root cause is a rustc bug where -Cforce-unwind-tables=y only emits the uwtable annotation for functions but not at the module level. This mismatch causes the SCS boot patching code to patch the paciasp instruction without patching the corresponding autiasp instruction, resulting in a crash during do_ctors() in init/main.c.

Critical Impact

Affected Linux kernel configurations fail to boot on arm64 with a KASAN global-out-of-bounds crash in do_basic_setup, preventing system startup.

Affected Products

  • Linux kernel with Rust support enabled on arm64
  • Kernels built with CONFIG_UNWIND_TABLES and CONFIG_UNWIND_PATCH_PAC_INTO_SCS
  • Kernels compiled with rustc versions prior to 1.98.0

Discovery Timeline

  • 2026-07-01 - CVE-2026-53346 published to NVD
  • 2026-07-01 - Last updated in NVD database

Technical Details for CVE-2026-53346

Vulnerability Analysis

The defect resides in the interaction between the Rust toolchain and the Linux kernel's arm64 boot-time code patching. The kernel uses Pointer Authentication Code (PAC) instructions such as paciasp and autiasp to protect return addresses. When CONFIG_UNWIND_PATCH_PAC_INTO_SCS is enabled, the boot patching code rewrites PAC instructions into Shadow Call Stack operations using DWARF unwind information as its source of truth.

Rust-compiled kernel objects generate compiler-inserted functions such as asan.module_ctor that lack the uwtable annotation at the module level. The DWARF information emitted for these constructors is therefore incorrect. The patching code observes the paciasp prologue instruction and rewrites it, but the mismatched unwind data causes it to skip the corresponding autiasp epilogue instruction.

The result is a mismatched prologue and epilogue in the constructor. When do_ctors() invokes the constructor through (*fn)() during kernel boot, execution crashes with a KASAN global-out-of-bounds report in do_basic_setup+0x4c/0x90. The failure is deterministic and prevents the system from completing initialization.

Root Cause

The defect stems from a rustc bug where -Cforce-unwind-tables=y applies the uwtable attribute only to source-defined functions. Compiler-generated functions such as sanitizer constructors do not inherit the annotation because there is no module-level uwtable LLVM flag. Kernel code patching that relies on complete DWARF coverage therefore operates on inconsistent metadata.

Attack Vector

CVE-2026-53346 is a boot reliability defect rather than a remotely exploitable vulnerability. Exposure requires building the kernel with Rust support, an affected rustc version, and the specific arm64 configuration flags described above. The failure surface is local to the boot process, and no external attacker input is involved. The vulnerability mechanism is described in the upstream commits referenced by the fix; no exploit code exists.

Detection Methods for CVE-2026-53346

Indicators of Compromise

  • Boot failure on arm64 hardware with a KASAN report: BUG: KASAN: global-out-of-bounds in do_basic_setup+0x4c/0x90
  • Kernel panic during do_ctors() execution in init/main.c
  • Faulting instruction traced to a compiler-generated constructor such as asan.module_ctor

Detection Strategies

  • Inspect kernel build configuration for concurrent use of CONFIG_RUST, CONFIG_UNWIND_TABLES, and CONFIG_UNWIND_PATCH_PAC_INTO_SCS on arm64
  • Check the rustc version used for the kernel build; versions below 1.98.0 are affected
  • Review boot logs and serial console output for KASAN global-out-of-bounds messages tied to constructor invocation

Monitoring Recommendations

  • Track kernel builds in CI systems to flag arm64 Rust-enabled configurations produced with older rustc releases
  • Monitor systems for repeated boot failures and capture serial console output for kernel panic analysis
  • Correlate patch levels of affected kernels against the upstream commits 7de13410, ac35b558, bde772ee, and d0f25a17

How to Mitigate CVE-2026-53346

Immediate Actions Required

  • Apply the upstream kernel patches referenced in the Kernel Git Commit 7de13410 and related commits
  • Upgrade the Rust toolchain used for kernel builds to rustc 1.98.0 or later, which contains the underlying compiler fix
  • Rebuild affected arm64 kernels after applying both the kernel patch and the toolchain upgrade

Patch Information

The fix sets the uwtable LLVM module flag when CONFIG_UNWIND_TABLES is enabled for Rust code on arm64. The patch adds a rustc version check because passing the flag on a fixed compiler is a no-op. The change is available in the upstream commits ac35b558, bde772ee, and d0f25a17.

Workarounds

  • Disable CONFIG_UNWIND_PATCH_PAC_INTO_SCS in the kernel build configuration until the patched kernel and toolchain are deployed
  • Disable Rust support (CONFIG_RUST) for arm64 builds where the fix cannot be applied immediately
  • Pin kernel builds to rustc 1.98.0 or later to avoid regenerating vulnerable object files
bash
# Configuration example
# Verify rustc version meets the minimum required for the fix
rustc --version

# Inspect kernel config for the affected combination
grep -E 'CONFIG_RUST=|CONFIG_UNWIND_TABLES=|CONFIG_UNWIND_PATCH_PAC_INTO_SCS=' .config

# Temporary workaround: disable the SCS PAC patching option
scripts/config --disable CONFIG_UNWIND_PATCH_PAC_INTO_SCS
make olddefconfig

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.