CVE-2026-53025
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: greybus: raw: fix use-after-free on cdev close This addresses a use-after-free bug when a raw bundle is disconnected but its chardev is still opened by an application. When the application releases the cdev, it causes the following panic when init on free is enabled (CONFIG_INIT_ON_FREE_DEFAULT_ON=y): refcount_t: underflow; use-after-free. WARNING: CPU: 0 PID: 139 at lib/refcount.c:28 refcount_warn_saturate+0xd0/0x130 ... Call Trace: <TASK> cdev_put+0x18/0x30 __fput+0x255/0x2a0 __x64_sys_close+0x3d/0x80 do_syscall_64+0xa4/0x290 entry_SYSCALL_64_after_hwframe+0x77/0x7f The cdev is contained in the "gb_raw" structure, which is freed in the disconnect operation. When the cdev is released at a later time, cdev_put gets an address that points to freed memory. To fix this use-after-free, convert the struct device from a pointer to being embedded, that makes the lifetime of the cdev and of this device the same. Then, use cdev_device_add, which guarantees that the device won't be released until all references to the cdev have been released. Finally, delegate the freeing of the structure to the device release function, instead of freeing immediately in the disconnect callback.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53025
EUVD
EUVD-2026-38893
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
greybus raw *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free bug in the Linux kernel's greybus raw driver. It occurs when a raw bundle is disconnected but its character device (cdev) is still open by an application. When the application later closes the cdev, the system tries to access memory that has already been freed, causing a kernel panic with a refcount underflow warning.

The root cause is that the cdev is part of a structure that gets freed during the disconnect operation, but the cdev can still be referenced afterward. The fix involves embedding the device structure within the cdev structure to synchronize their lifetimes, using cdev_device_add to manage device references properly, and deferring freeing the structure until the device release function is called.

Impact Analysis

This vulnerability can cause a kernel panic, leading to system crashes or instability when an application closes a character device after its underlying raw bundle has been disconnected. This can result in denial of service or unexpected system behavior.

Detection Guidance

This vulnerability manifests as a use-after-free bug in the Linux kernel greybus raw driver, which can cause a kernel panic with messages such as "refcount_t: underflow; use-after-free" and warnings from refcount_warn_saturate.

Detection can be done by monitoring kernel logs for these specific panic messages and call traces related to cdev_put, __fput, and __x64_sys_close.

Commands to check kernel logs include:

  • dmesg | grep -i 'refcount_t: underflow'
  • journalctl -k | grep -i 'use-after-free'
  • journalctl -k | grep -E 'cdev_put|__fput|__x64_sys_close'

Additionally, enabling CONFIG_INIT_ON_FREE_DEFAULT_ON=y in the kernel configuration can help trigger the panic for easier detection during testing.

Mitigation Strategies

To mitigate this vulnerability, update the Linux kernel to a version where the greybus raw driver has been fixed to prevent the use-after-free condition.

The fix involves converting the struct device from a pointer to an embedded structure to synchronize the lifetime of the cdev and device, using cdev_device_add to manage device references properly, and delegating freeing to the device release function.

Until the patch is applied, avoid disconnecting raw bundles while applications still have the chardev open to prevent triggering the bug.

Monitoring for kernel panics related to this issue and restricting usage of affected greybus raw devices can also reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53025. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart