Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53354

CVE-2026-53354: Linux Kernel Privilege Escalation Flaw

CVE-2026-53354 is a privilege escalation vulnerability in the Linux kernel affecting Arm CPUs with TLBI errata. This post covers the technical details, affected processor versions, security impact, and mitigation steps.

Published:

CVE-2026-53354 Overview

CVE-2026-53354 documents a Linux kernel mitigation for a hardware erratum affecting multiple Arm CPU designs. The issue arises when a broadcast TLB Invalidate (TLBI) followed by a Data Synchronization Barrier (DSB) may complete before all writes translated by an affected TLB entry are globally observed. The erratum does not affect the actual invalidation of TLB entries; entries are removed correctly. The kernel change enables the ARM64_WORKAROUND_REPEAT_TLBI workaround on affected CPUs. This tracker entry corresponds to the hardware issue originally assigned CVE-2025-10263.

Critical Impact

Affected Arm cores may allow memory writes that were translated by an invalidated TLB entry to be observed after a TLBI;DSB sequence completes, breaking memory ordering guarantees relied upon by the kernel.

Affected Products

  • Linux kernel arm64 architecture on affected Arm CPU designs
  • Systems where ARM64_WORKAROUND_REPEAT_TLBI is not enabled for the affected cores
  • Stable kernel branches receiving backported fixes referenced by the commits below

Discovery Timeline

  • 2026-07-01 - CVE-2026-53354 published to NVD
  • 2026-07-01 - Last updated in NVD database

Technical Details for CVE-2026-53354

Vulnerability Analysis

The issue is a CPU erratum in the memory ordering behavior of broadcast TLB maintenance operations on several Arm cores. Under normal semantics, a TLBI followed by a DSB must guarantee that any memory access performed under a now-invalidated translation has been globally observed. Affected cores may complete the TLBI;DSB sequence before writes translated by the stale entry are visible to other observers. Because the Linux kernel relies on this ordering during page table updates, unmap operations, and permission changes, the erratum can lead to subtle memory consistency failures in the arm64 memory management subsystem. The invalidation itself is not affected — the TLB entry is removed, but pending writes gated by that translation may still be in flight.

Root Cause

The root cause is a hardware defect in the completion semantics of broadcast TLBI operations on specific Arm CPU implementations. Arm has documented this behavior as an erratum shared across several cores due to how Arm develops IP and tracks errata.

Attack Vector

No user-facing attack vector or exploitation technique is documented in the advisory. The change is a hardware errata mitigation applied to the kernel. Impact is limited to memory ordering correctness in the arm64 memory management path on affected silicon.

No verified exploitation code is available for this issue. The mitigation, as recommended by Arm, is to follow any affected TLBI;DSB sequence with an additional TLBI;DSB, ensuring all writes gated by the first TLBI have been globally observed. The additional TLBI can be any operation broadcast to affected CPUs, and the additional DSB can use any option sufficient to complete it. In the kernel, this is implemented by enabling the existing ARM64_WORKAROUND_REPEAT_TLBI mechanism for the affected CPU models and updating the silicon errata documentation.

Detection Methods for CVE-2026-53354

Indicators of Compromise

  • No indicators of compromise are associated with this erratum; the flaw manifests as memory ordering anomalies rather than an intrusion artifact.
  • Unexplained memory corruption or data consistency failures on arm64 systems running kernels without ARM64_WORKAROUND_REPEAT_TLBI enabled for affected cores may warrant investigation.

Detection Strategies

  • Inventory arm64 hosts and identify CPU implementer and part numbers via /proc/cpuinfo to determine whether they match Arm cores listed in the updated silicon errata documentation.
  • Verify that the running kernel includes the commits referenced in the NVD advisory and that CONFIG_ARM64_WORKAROUND_REPEAT_TLBI is set for the affected part numbers.
  • Review kernel boot logs for errata application messages confirming the workaround has been activated on each core.

Monitoring Recommendations

  • Track kernel package versions across arm64 fleets and flag hosts running kernels older than the stable releases containing the referenced commits.
  • Monitor vendor advisories from Linux distributions shipping arm64 builds for backport availability.
  • Correlate hardware asset data with kernel version data to prioritize patching of hosts with affected Arm cores.

How to Mitigate CVE-2026-53354

Immediate Actions Required

  • Update affected arm64 systems to a Linux kernel release that includes the fix commits published in the kernel.org stable tree.
  • Ensure kernel configuration enables ARM64_WORKAROUND_REPEAT_TLBI for the affected CPU models.
  • Coordinate with hardware vendors to confirm which cores in the deployed fleet are impacted.

Patch Information

The fix is delivered through the following upstream Linux kernel commits, all available on the kernel.org stable tree: 1268c64e2bcb, 1b47b1e1d867, 4e7c80742e6d, 7c3ad9365079, 8364384ae82f, 925058203229, cfd391e74134, d4fd42822040, and e717a4d08779. These commits enable the ARM64_WORKAROUND_REPEAT_TLBI mitigation for affected Arm CPUs and update the silicon errata documentation to reflect the shared erratum numbers.

Workarounds

  • Build the kernel with ARM64_WORKAROUND_REPEAT_TLBI enabled to activate the repeat TLBI;DSB sequence on affected cores.
  • On unaffected cores, no action is required; the workaround is gated per-CPU via the errata framework.
  • Where kernel updates cannot be applied immediately, restrict deployment of workloads sensitive to memory ordering guarantees on impacted arm64 hardware until patching is complete.
bash
# Configuration example: enable the repeat-TLBI errata workaround in the kernel .config
CONFIG_ARM64_WORKAROUND_REPEAT_TLBI=y

# Verify affected CPUs are detected and workaround is applied
dmesg | grep -i "repeat_tlbi\|errata"

# Inspect CPU implementer/part to correlate with the updated silicon errata list
cat /proc/cpuinfo | grep -E "CPU implementer|CPU part|CPU variant|CPU revision"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.