CVE-2026-53061
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: dm cache: fix dirty mapping checking in passthrough mode switching As mentioned in commit 9b1cc9f251af ("dm cache: share cache-metadata object across inactive and active DM tables"), dm-cache assumed table reload occurs after suspension, while LVM's table preload breaks this assumption. The dirty mapping check for passthrough mode was designed around this assumption and is performed during table creation, causing the check to fail with preload while metadata updates are ongoing. This risks loading dirty mappings into passthrough mode, resulting in data loss. Reproduce steps: 1. Create a writeback cache with zero migration_threshold to produce dirty mappings dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 131072 linear /dev/sdc 8192" dmsetup create corig --table "0 262144 linear /dev/sdc 262144" dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct dmsetup create cache --table "0 262144 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writeback smq \ 2 migration_threshold 0" 2. Preload a table in passthrough mode dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0" 3. Write to the first cache block to make it dirty fio --filename=/dev/mapper/cache --name=populate --rw=write --bs=4k \ --direct=1 --size=64k 4. Resume the inactive table. Now it's possible to load the dirty block into passthrough mode. dmsetup resume cache Fix by moving the checks to the preresume phase to support table preloading. Also remove the unused function dm_cache_metadata_all_clean.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53061
EUVD
EUVD-2026-38929
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

The primary impact of this vulnerability is the risk of data loss. Because dirty cache blocks can be loaded into passthrough mode incorrectly, data that has not been properly written back to the underlying storage may be lost.

This can affect systems using dm-cache with writeback caching and table preloading, potentially causing corruption or loss of critical data during cache mode switching.

Executive Summary

This vulnerability exists in the Linux kernel's device mapper cache (dm-cache) subsystem. It involves an incorrect assumption about how table reloads occur after suspension. Specifically, dm-cache assumed that table reload happens only after suspension, but Logical Volume Manager (LVM) uses table preload, which breaks this assumption.

The vulnerability is related to the dirty mapping check in passthrough mode, which was designed to run during table creation. Because of the preload behavior, this check can fail while metadata updates are ongoing, allowing dirty (unwritten) mappings to be loaded into passthrough mode.

This can lead to data loss because dirty cache blocks might be incorrectly handled during mode switching.

Detection Guidance

This vulnerability relates to the dm-cache feature in the Linux kernel, specifically involving dirty mapping checks in passthrough mode during table preload and resume operations.

To detect the vulnerability or reproduce the conditions that expose it, you can perform the following steps using dmsetup and fio commands:

  • Create a writeback cache with zero migration_threshold to produce dirty mappings using dmsetup create commands.
  • Preload a table in passthrough mode with dmsetup reload.
  • Write to the first cache block to make it dirty using fio.
  • Resume the inactive table with dmsetup resume to check if dirty blocks are loaded into passthrough mode.

Example commands from the description are:

  • dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
  • dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
  • dmsetup create corig --table "0 262144 linear /dev/sdc 262144"
  • dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
  • dmsetup create cache --table "0 262144 cache /dev/mapper/cmeta /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writeback smq 2 migration_threshold 0"
  • dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0"
  • fio --filename=/dev/mapper/cache --name=populate --rw=write --bs=4k --direct=1 --size=64k
  • dmsetup resume cache
Mitigation Strategies

The vulnerability is fixed by moving the dirty mapping checks to the preresume phase to support table preloading and by removing an unused function.

Immediate mitigation steps include:

  • Update the Linux kernel to a version that includes the fix for this vulnerability.
  • Avoid using dm-cache in passthrough mode with table preloading until the fix is applied.
  • Monitor and control usage of writeback caches with zero migration_threshold to prevent dirty mappings from being loaded incorrectly.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53061. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart