CVE-2026-53346 Overview
CVE-2026-53346 affects the Linux kernel's Rust support on arm64 systems. The issue involves the interaction between the Rust compiler (rustc), unwind tables, and the kernel's Shadow Call Stack (SCS) patching logic. When CONFIG_UNWIND_PATCH_PAC_INTO_SCS is enabled, kernels built with Rust support fail to boot due to incorrect DWARF information generated for compiler-emitted constructors such as asan.module_ctor.
The root cause is a rustc bug where -Cforce-unwind-tables=y only emits the uwtable annotation for functions but not at the module level. This mismatch causes the SCS boot patching code to patch the paciasp instruction without patching the corresponding autiasp instruction, resulting in a crash during do_ctors() in init/main.c.
Critical Impact
Affected Linux kernel configurations fail to boot on arm64 with a KASAN global-out-of-bounds crash in do_basic_setup, preventing system startup.
Affected Products
- Linux kernel with Rust support enabled on arm64
- Kernels built with CONFIG_UNWIND_TABLES and CONFIG_UNWIND_PATCH_PAC_INTO_SCS
- Kernels compiled with rustc versions prior to 1.98.0
Discovery Timeline
- 2026-07-01 - CVE-2026-53346 published to NVD
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2026-53346
Vulnerability Analysis
The defect resides in the interaction between the Rust toolchain and the Linux kernel's arm64 boot-time code patching. The kernel uses Pointer Authentication Code (PAC) instructions such as paciasp and autiasp to protect return addresses. When CONFIG_UNWIND_PATCH_PAC_INTO_SCS is enabled, the boot patching code rewrites PAC instructions into Shadow Call Stack operations using DWARF unwind information as its source of truth.
Rust-compiled kernel objects generate compiler-inserted functions such as asan.module_ctor that lack the uwtable annotation at the module level. The DWARF information emitted for these constructors is therefore incorrect. The patching code observes the paciasp prologue instruction and rewrites it, but the mismatched unwind data causes it to skip the corresponding autiasp epilogue instruction.
The result is a mismatched prologue and epilogue in the constructor. When do_ctors() invokes the constructor through (*fn)() during kernel boot, execution crashes with a KASAN global-out-of-bounds report in do_basic_setup+0x4c/0x90. The failure is deterministic and prevents the system from completing initialization.
Root Cause
The defect stems from a rustc bug where -Cforce-unwind-tables=y applies the uwtable attribute only to source-defined functions. Compiler-generated functions such as sanitizer constructors do not inherit the annotation because there is no module-level uwtable LLVM flag. Kernel code patching that relies on complete DWARF coverage therefore operates on inconsistent metadata.
Attack Vector
CVE-2026-53346 is a boot reliability defect rather than a remotely exploitable vulnerability. Exposure requires building the kernel with Rust support, an affected rustc version, and the specific arm64 configuration flags described above. The failure surface is local to the boot process, and no external attacker input is involved. The vulnerability mechanism is described in the upstream commits referenced by the fix; no exploit code exists.
Detection Methods for CVE-2026-53346
Indicators of Compromise
- Boot failure on arm64 hardware with a KASAN report: BUG: KASAN: global-out-of-bounds in do_basic_setup+0x4c/0x90
- Kernel panic during do_ctors() execution in init/main.c
- Faulting instruction traced to a compiler-generated constructor such as asan.module_ctor
Detection Strategies
- Inspect kernel build configuration for concurrent use of CONFIG_RUST, CONFIG_UNWIND_TABLES, and CONFIG_UNWIND_PATCH_PAC_INTO_SCS on arm64
- Check the rustc version used for the kernel build; versions below 1.98.0 are affected
- Review boot logs and serial console output for KASAN global-out-of-bounds messages tied to constructor invocation
Monitoring Recommendations
- Track kernel builds in CI systems to flag arm64 Rust-enabled configurations produced with older rustc releases
- Monitor systems for repeated boot failures and capture serial console output for kernel panic analysis
- Correlate patch levels of affected kernels against the upstream commits 7de13410, ac35b558, bde772ee, and d0f25a17
How to Mitigate CVE-2026-53346
Immediate Actions Required
- Apply the upstream kernel patches referenced in the Kernel Git Commit 7de13410 and related commits
- Upgrade the Rust toolchain used for kernel builds to rustc 1.98.0 or later, which contains the underlying compiler fix
- Rebuild affected arm64 kernels after applying both the kernel patch and the toolchain upgrade
Patch Information
The fix sets the uwtable LLVM module flag when CONFIG_UNWIND_TABLES is enabled for Rust code on arm64. The patch adds a rustc version check because passing the flag on a fixed compiler is a no-op. The change is available in the upstream commits ac35b558, bde772ee, and d0f25a17.
Workarounds
- Disable CONFIG_UNWIND_PATCH_PAC_INTO_SCS in the kernel build configuration until the patched kernel and toolchain are deployed
- Disable Rust support (CONFIG_RUST) for arm64 builds where the fix cannot be applied immediately
- Pin kernel builds to rustc 1.98.0 or later to avoid regenerating vulnerable object files
# Configuration example
# Verify rustc version meets the minimum required for the fix
rustc --version
# Inspect kernel config for the affected combination
grep -E 'CONFIG_RUST=|CONFIG_UNWIND_TABLES=|CONFIG_UNWIND_PATCH_PAC_INTO_SCS=' .config
# Temporary workaround: disable the SCS PAC patching option
scripts/config --disable CONFIG_UNWIND_PATCH_PAC_INTO_SCS
make olddefconfig
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

