CVE-2026-53024
Received Received - Intake
Use-After-Free in Linux Kernel Greybus Raw Driver

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: greybus: raw: fix use-after-free if write is called after disconnect If a user writes to the chardev after disconnect has been called, the kernel panics with the following trace (with CONFIG_INIT_ON_FREE_DEFAULT_ON=y): BUG: kernel NULL pointer dereference, address: 0000000000000218 ... Call Trace: <TASK> gb_operation_create_common+0x61/0x180 gb_operation_create_flags+0x28/0xa0 gb_operation_sync_timeout+0x6f/0x100 raw_write+0x7b/0xc7 [gb_raw] vfs_write+0xcf/0x420 ? task_mm_cid_work+0x136/0x220 ksys_write+0x63/0xe0 do_syscall_64+0xa4/0x290 entry_SYSCALL_64_after_hwframe+0x77/0x7f Disconnect calls gb_connection_destroy, which ends up freeing the connection object. When gb_operation_sync is called in the write file operations, its gets a freed connection as parameter and the kernel panics. The gb_connection_destroy cannot be moved out of the disconnect function, as the Greybus subsystem expect all connections belonging to a bundle to be destroyed when disconnect returns. To prevent this bug, use a rw lock to synchronize access between write and disconnect. This guarantees that the write function doesn't try to use a disconnected connection.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53024
EUVD
EUVD-2026-38892
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
greybus raw *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's greybus raw driver. It is a use-after-free bug that occurs when a write operation is called after a disconnect has been performed.

Specifically, when a user writes to the character device after the disconnect function has freed the connection object, the kernel attempts to use this freed connection, leading to a kernel panic caused by a NULL pointer dereference.

The disconnect function calls gb_connection_destroy, which frees the connection object. If a write operation happens concurrently or after this, it uses the freed connection, causing the crash.

The fix involves using a read-write lock to synchronize access between the write and disconnect operations, ensuring that writes do not occur on disconnected connections.

Impact Analysis

This vulnerability can cause the Linux kernel to panic, resulting in a system crash.

A kernel panic can lead to denial of service, causing the affected system to become unresponsive and requiring a reboot.

Such crashes can disrupt normal operations, potentially causing data loss or downtime depending on the system's role.

Detection Guidance

This vulnerability manifests as a kernel panic caused by a NULL pointer dereference when a write operation is performed on the Greybus raw chardev after a disconnect has been called.

Detection can involve monitoring system logs for kernel panic messages containing traces similar to the following:

  • BUG: kernel NULL pointer dereference, address: 0000000000000218
  • Call Trace entries including gb_operation_create_common, gb_operation_sync_timeout, raw_write, vfs_write, ksys_write, and entry_SYSCALL_64_after_hwframe

Since no specific commands or tools are provided in the context or resources, a general approach would be to check kernel logs using commands such as:

  • dmesg | grep -i 'BUG\|gb_operation\|raw_write'
  • journalctl -k | grep -i 'BUG\|gb_operation\|raw_write'

These commands help identify kernel panic traces related to this vulnerability.

Mitigation Strategies

The vulnerability is caused by a use-after-free condition when a write is called after disconnect on the Greybus raw chardev.

To mitigate this issue, the fix involves synchronizing access between the write and disconnect operations using a read-write lock (rw lock). This ensures that the write function does not attempt to use a disconnected connection.

Immediate mitigation steps include:

  • Apply the patch or update the Linux kernel to a version where this vulnerability is fixed.
  • Avoid performing write operations on the Greybus raw chardev after a disconnect has been initiated.
  • Monitor system behavior for kernel panics related to this issue and plan for kernel updates accordingly.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53024. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart