CVE-2026-53352 Overview
CVE-2026-53352 is a race condition vulnerability in the Linux kernel's signal handling subsystem. The flaw resides in zap_other_threads() within kernel/signal.c, where the function fails to clear the JOBCTL_PENDING_MASK for the calling thread when tearing down a thread group during execve(). When a multi-threaded process concurrently receives a stop signal such as SIGSTOP and one thread invokes execve(), stale job control flags remain on the calling thread. This triggers a kernel warning at kernel/signal.c:373 when task_participate_group_stop() attempts to decrement an already-zero signal->group_stop_count.
Critical Impact
Local unprivileged processes can trigger a kernel warning and inconsistent signal state through a race between SIGSTOP delivery and execve() in multi-threaded processes.
Affected Products
- Linux kernel (mainline, prior to the fix commits referenced by kernel.org)
- Linux stable kernel branches receiving the backported patches
- Distributions shipping unpatched kernel builds from the affected series
Discovery Timeline
- 2026-07-01 - CVE-2026-53352 published to NVD
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2026-53352
Vulnerability Analysis
The defect is a race condition [CWE-362] in the Linux kernel signal delivery path. When a multi-threaded process receives a stop signal, do_signal_stop() sets JOBCTL_STOP_PENDING and JOBCTL_STOP_CONSUME on every thread in the group and initializes signal->group_stop_count to the total thread count. Concurrently, if one thread executes execve(), de_thread() calls zap_other_threads() to terminate the other threads.
zap_other_threads() aborts the group stop by resetting signal->group_stop_count to zero and clearing JOBCTL_PENDING_MASK on all other threads. It omits the calling thread from this cleanup. When execve() completes and the calling thread returns to user mode, it observes its own stale JOBCTL_STOP_PENDING flag and re-enters do_signal_stop(). That path invokes task_participate_group_stop(), which sees JOBCTL_STOP_CONSUME still set and decrements the already-zero group_stop_count, producing a WARN at kernel/signal.c:373.
Root Cause
The root cause is incomplete state teardown in zap_other_threads(). Unlike zap_process() and complete_signal(), which clear job control flags on all threads including the current one, zap_other_threads() skipped the caller. The stale JOBCTL_PENDING_MASK bits on the surviving execve caller cause the signal subsystem to operate on inconsistent group-stop bookkeeping.
Attack Vector
A local unprivileged user can reach the racy code path by creating a multi-threaded process, sending SIGSTOP to it, and simultaneously invoking execve() from one of its threads. Reliably winning the race produces a kernel warning and inconsistent signal state. Exploitation for privilege escalation is not indicated by the upstream commit message, and the fix is classified as a stability correction against a WARN_ON condition.
No public proof-of-concept exploit code is available. See the upstream fix in Kernel Git Commit 76aebd9 and additional backports referenced by kernel.org.
Detection Methods for CVE-2026-53352
Indicators of Compromise
- Kernel log entries containing WARNING: CPU: <n> PID: <pid> at kernel/signal.c:373 task_participate_group_stop
- Call traces referencing do_signal_stop, get_signal, and arch_do_signal_or_restart following an execve() in a multi-threaded process
- Repeated sig->group_stop_count == 0 warnings from processes that combine threading, job control, and execve()
Detection Strategies
- Ingest dmesg and /var/log/kern.log output into a centralized log platform and alert on the kernel/signal.c:373 warning signature.
- Correlate kernel warnings with the originating PID, UID, and executable path to identify processes triggering the race, whether accidentally or deliberately.
- Baseline kernel WARN frequency per host and flag hosts that produce this specific stack trace, since it is uncommon under normal workloads.
Monitoring Recommendations
- Monitor kernel version and patch level across the fleet to identify hosts running builds prior to the fix commits referenced by kernel.org.
- Track processes that combine clone() with CLONE_THREAD, receipt of SIGSTOP, and rapid execve() calls, which is the pattern required to reach the race.
- Watch for unexpected process state transitions or stopped threads that fail to resume as job-control expectations would predict.
How to Mitigate CVE-2026-53352
Immediate Actions Required
- Inventory Linux hosts and identify kernels that do not yet include the upstream fix or its stable backports.
- Apply vendor kernel updates that incorporate the referenced commits and reboot affected systems on a scheduled maintenance window.
- On multi-tenant systems, restrict access for untrusted local users until patched builds are deployed.
Patch Information
The fix clears JOBCTL_PENDING_MASK for the calling thread inside zap_other_threads(), aligning its behavior with zap_process() and complete_signal(). Merged upstream and backported to stable branches. Relevant commits include Kernel Git Commit 2b32b2f, Kernel Git Commit 391ebe7, Kernel Git Commit 76aebd9, Kernel Git Commit 8c046f3, Kernel Git Commit 9091879, Kernel Git Commit dfcd0ba, Kernel Git Commit f4aae11, and Kernel Git Commit f8d720b.
Workarounds
- No supported source-level workaround exists outside of patching, since the defect is inside core signal handling.
- Reduce exposure by limiting local shell access on shared systems and enforcing least privilege for interactive users.
- Where feasible, disable or restrict workloads that intentionally combine job control signals with execve() in multi-threaded processes until patches are deployed.
# Verify kernel version and confirm the patched build is installed
uname -r
# On Debian/Ubuntu: install the latest kernel and reboot
sudo apt-get update && sudo apt-get install --only-upgrade linux-image-$(uname -r | cut -d- -f3-)
sudo reboot
# On RHEL/CentOS/Rocky/Alma: update kernel and reboot
sudo dnf update kernel
sudo reboot
# Confirm no kernel/signal.c:373 warnings after patching
sudo dmesg | grep -i 'kernel/signal.c:373'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

