CVE-2026-52930
Analyzed Analyzed - Analysis Complete

Race Condition in Linux Kernel IPC Shared Memory

Vulnerability report for CVE-2026-52930, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-07-08

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: ipc/shm: serialize orphan cleanup with shm_nattch updates shm_destroy_orphaned() walks the shm idr under shm_ids(ns).rwsem, but that does not serialize all fields tested by shm_may_destroy(). In particular, shm_nattch is updated while holding shm_perm.lock, and attach paths can do that without holding the rwsem. Do not decide that an orphaned segment is unused before taking the object lock. Move the shm_may_destroy() check under shm_perm.lock, matching the other destroy paths, and unlock the segment when it no longer qualifies for removal.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-07-08
Generated
2026-07-14
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 14 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 5.16 (inc) to 6.1.176 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.143 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.210 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.36 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.94 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.13 (exc)
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 3.1 (inc) to 5.10.259 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

The vulnerability has been resolved in the Linux kernel by properly serializing orphan cleanup with shm_nattch updates. To mitigate this vulnerability, you should update your Linux kernel to the version that includes this fix.

  • Apply the latest Linux kernel update or patch that addresses the ipc/shm serialization issue.
  • Avoid using unpatched kernel versions that may improperly handle shared memory segment cleanup.
Executive Summary

This vulnerability exists in the Linux kernel's inter-process communication (IPC) shared memory (shm) subsystem. Specifically, the issue involves improper serialization during the cleanup of orphaned shared memory segments. The function shm_destroy_orphaned() walks through shared memory IDs under a read-write semaphore (rwsem), but it does not properly synchronize all fields checked by shm_may_destroy(). The field shm_nattch, which tracks the number of attachments to a shared memory segment, is updated while holding a different lock (shm_perm.lock), and some attach operations update this field without holding the rwsem. This can lead to a race condition where an orphaned shared memory segment might be incorrectly considered unused and destroyed prematurely. The fix involves moving the shm_may_destroy() check under the shm_perm.lock to ensure proper locking and prevent premature removal.

Impact Analysis

This vulnerability can lead to premature destruction of shared memory segments that are still in use. Such a race condition may cause instability or unexpected behavior in applications relying on shared memory for communication or data storage. It could result in data corruption, application crashes, or denial of service if critical shared memory segments are removed while still attached by processes.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52930. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart