CVE-2026-53047
Awaiting Analysis Awaiting Analysis - Queue

Incorrect sizeof in phys array reallocation in Linux kernel

Vulnerability report for CVE-2026-53047, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-07-14

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: efi/capsule-loader: fix incorrect sizeof in phys array reallocation The krealloc() call for cap_info->phys in __efi_capsule_setup_info() uses sizeof(phys_addr_t *) instead of sizeof(phys_addr_t), which might be causing an undersized allocation. The allocation is also inconsistent with the initial array allocation in efi_capsule_open() that allocates one entry with sizeof(phys_addr_t), and the efi_capsule_write() function that stores phys_addr_t values (not pointers) via page_to_phys(). On 64-bit systems where sizeof(phys_addr_t) == sizeof(phys_addr_t *), this goes unnoticed. On 32-bit systems with PAE where phys_addr_t is 64-bit but pointers are 32-bit, this allocates half the required space, which might lead to a heap buffer overflow when storing physical addresses. This is similar to the bug fixed in commit fccfa646ef36 ("efi/capsule-loader: fix incorrect allocation size") which fixed the same issue at the initial allocation site.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-07-14
Generated
2026-07-15
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's EFI capsule loader code. Specifically, it involves an incorrect use of the sizeof operator during memory reallocation for an array of physical addresses (phys array). The code uses sizeof(phys_addr_t *) (size of a pointer) instead of sizeof(phys_addr_t) (size of the actual physical address type) when reallocating memory.

On 64-bit systems, where the size of a pointer and the size of phys_addr_t are the same, this mistake does not cause issues. However, on 32-bit systems with Physical Address Extension (PAE), phys_addr_t is 64-bit while pointers are 32-bit. This leads to allocating only half the required memory, potentially causing a heap buffer overflow when storing physical addresses.

Impact Analysis

The vulnerability can lead to a heap buffer overflow on affected systems (32-bit with PAE). This means that when the system stores physical addresses, it might write beyond the allocated memory buffer, potentially corrupting adjacent memory.

Heap buffer overflows can cause system instability, crashes, or potentially be exploited by attackers to execute arbitrary code or escalate privileges, depending on the context and other system protections.

Compliance Impact

The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability relates to an incorrect memory allocation size in the Linux kernel's EFI capsule loader code, specifically in the __efi_capsule_setup_info() function. Detection would typically involve verifying the kernel version or patch level to see if this fix has been applied.

Since this is a kernel-level issue, direct detection via network commands is not applicable. Instead, you can check your running kernel version and compare it against versions known to include this fix.

Suggested commands to gather relevant information include:

  • uname -a # To display the current kernel version and architecture
  • dmesg | grep -i efi # To check EFI-related kernel messages
  • grep CONFIG_EFI /boot/config-$(uname -r) # To verify EFI support in the kernel configuration

For a more precise detection, you would need to verify if the kernel source includes the patch fixing the incorrect sizeof usage in the capsule loader code, which may require source code or patch level inspection.

Mitigation Strategies

The primary mitigation step is to update your Linux kernel to a version that includes the fix for this vulnerability.

Since the issue is caused by incorrect memory allocation in the EFI capsule loader on 32-bit systems with PAE, applying the patch that corrects the sizeof usage in __efi_capsule_setup_info() will prevent potential heap buffer overflows.

If an immediate kernel update is not possible, consider disabling EFI capsule loading features if they are not required in your environment, though this may impact system functionality.

Regularly monitor for kernel updates and security advisories from your Linux distribution to ensure timely application of patches.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53047. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart