CVE-2026-53038
Received Received - Intake
Buffer Overflow in Linux Kernel IMA Filesystem

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ima_fs: Correctly create securityfs files for unsupported hash algos ima_tpm_chip->allocated_banks[i].crypto_id is initialized to HASH_ALGO__LAST if the TPM algorithm is not supported. However there are places relying on the algorithm to be valid because it is accessed by hash_algo_name[]. On 6.12.40 I observe the following read out-of-bounds in hash_algo_name: ================================================================== BUG: KASAN: global-out-of-bounds in create_securityfs_measurement_lists+0x396/0x440 Read of size 8 at addr ffffffff83e18138 by task swapper/0/1 CPU: 4 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.40 #3 Call Trace: <TASK> dump_stack_lvl+0x61/0x90 print_report+0xc4/0x580 ? kasan_addr_to_slab+0x26/0x80 ? create_securityfs_measurement_lists+0x396/0x440 kasan_report+0xc2/0x100 ? create_securityfs_measurement_lists+0x396/0x440 create_securityfs_measurement_lists+0x396/0x440 ima_fs_init+0xa3/0x300 ima_init+0x7d/0xd0 init_ima+0x28/0x100 do_one_initcall+0xa6/0x3e0 kernel_init_freeable+0x455/0x740 kernel_init+0x24/0x1d0 ret_from_fork+0x38/0x80 ret_from_fork_asm+0x11/0x20 </TASK> The buggy address belongs to the variable: hash_algo_name+0xb8/0x420 Memory state around the buggy address: ffffffff83e18000: 00 01 f9 f9 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9 ffffffff83e18080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffffff83e18100: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 00 05 f9 f9 ^ ffffffff83e18180: f9 f9 f9 f9 00 00 00 00 00 00 00 04 f9 f9 f9 f9 ffffffff83e18200: 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9 ================================================================== Seems like the TPM chip supports sha3_256, which isn't yet in tpm_algorithms: tpm tpm0: TPM with unsupported bank algorithm 0x0027 That's TPM_ALG_SHA3_256 == 0x0027 from "Trusted Platform Module 2.0 Library Part 2: Structures", page 51 [1]. See also the related U-Boot algorithms update [2]. Thus solve the problem by creating a file name with "_tpm_alg_<ID>" postfix if the crypto algorithm isn't initialized. This is how it looks on the test machine (patch ported to v6.12 release): # ls -1 /sys/kernel/security/ima/ ascii_runtime_measurements ascii_runtime_measurements_tpm_alg_27 ascii_runtime_measurements_sha1 ascii_runtime_measurements_sha256 binary_runtime_measurements binary_runtime_measurements_tpm_alg_27 binary_runtime_measurements_sha1 binary_runtime_measurements_sha256 policy runtime_measurements_count violations [1]: https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-2.0-Library-Part-2-Version-184_pub.pdf [2]: https://lists.denx.de/pipermail/u-boot/2024-July/558835.html
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53038
EUVD
EUVD-2026-38906
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel 6.12.40
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's Integrity Measurement Architecture (IMA) filesystem code. It occurs because when a Trusted Platform Module (TPM) algorithm is not supported, the system initializes the algorithm ID to a special value (HASH_ALGO__LAST). However, some parts of the code incorrectly assume the algorithm ID is valid and use it to access an array of hash algorithm names, leading to an out-of-bounds read.

Specifically, the vulnerability causes a read out-of-bounds error in the hash_algo_name array during the creation of security filesystem files for unsupported hash algorithms. This can happen when the TPM chip supports a newer algorithm like sha3_256, which is not yet recognized by the kernel's TPM algorithm list.

The issue was fixed by changing the way securityfs files are created for unsupported hash algorithms, appending a postfix with the algorithm ID instead of relying on invalid array indexing.

Impact Analysis

This vulnerability can cause the Linux kernel to perform an out-of-bounds memory read, which may lead to kernel crashes or instability. Such behavior can affect system reliability and availability.

While the description does not explicitly mention privilege escalation or code execution, out-of-bounds reads in kernel space can potentially be leveraged by attackers to gain sensitive information or cause denial of service.

Detection Guidance

This vulnerability can be detected by checking the presence of securityfs files related to unsupported TPM hash algorithms in the Linux kernel's IMA (Integrity Measurement Architecture) security filesystem.

On a system with the patched kernel, files with the postfix "_tpm_alg_<ID>" are created for unsupported crypto algorithms. For example, you can list the IMA securityfs directory to see if such files exist.

A suggested command to detect this is:

  • ls -1 /sys/kernel/security/ima/

If you see files like ascii_runtime_measurements_tpm_alg_27 or binary_runtime_measurements_tpm_alg_27, it indicates the presence of unsupported TPM algorithms being handled, which relates to this vulnerability.

Mitigation Strategies

The vulnerability is resolved by correctly creating securityfs files for unsupported hash algorithms in the Linux kernel.

Immediate mitigation steps include updating your Linux kernel to version 6.12.40 or later where this fix is applied.

This update ensures that unsupported TPM algorithms like sha3_256 are handled properly by creating files with the postfix "_tpm_alg_<ID>", preventing out-of-bounds memory reads.

Until the update is applied, avoid using TPM chips or configurations that rely on unsupported hash algorithms to reduce the risk of triggering the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53038. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart