CVE-2026-53064
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: dm cache: fix null-deref with concurrent writes in passthrough mode In passthrough mode, when dm-cache starts to invalidate a cache entry and bio prison cell lock fails due to concurrent write to the same cached block, mg->cell remains NULL. The error path in invalidate_complete() attempts to unlock and free the cell unconditionally, causing a NULL pointer dereference: KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 UID: 0 PID: 134 Comm: fio Not tainted 6.19.0-rc7 #3 PREEMPT RIP: 0010:dm_cell_unlock_v2+0x3f/0x210 <snip> Call Trace: invalidate_complete+0xef/0x430 map_bio+0x130f/0x1a10 cache_map+0x320/0x6b0 __map_bio+0x458/0x510 dm_submit_bio+0x40e/0x16d0 __submit_bio+0x419/0x870 <snip> Reproduce steps: 1. Create a cache device dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 131072 linear /dev/sdc 8192" dmsetup create corig --table "0 262144 linear /dev/sdc 262144" dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct dmsetup create cache --table "0 262144 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" 2. Promote the first data block into cache fio --filename=/dev/mapper/cache --name=populate --rw=write --bs=4k \ --direct=1 --size=64k 3. Reload the cache into passthrough mode dmsetup suspend cache dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0" dmsetup resume cache 4. Write to the first cached block concurrently fio --filename=/dev/mapper/cache --name test --rw=randwrite --bs=4k \ --randrepeat=0 --direct=1 --numjobs=2 --size 64k Fix by checking if mg->cell is valid before attempting to unlock it.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53064
EUVD
EUVD-2026-38932
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's device mapper cache (dm-cache) when operating in passthrough mode. It occurs due to a null pointer dereference caused by concurrent writes to the same cached block. Specifically, when dm-cache tries to invalidate a cache entry, if the bio prison cell lock fails because of concurrent writes, an internal pointer (mg->cell) remains NULL. The error handling code then attempts to unlock and free this NULL pointer, leading to a kernel crash.

The issue can be reproduced by creating a cache device, promoting a data block into the cache, switching the cache to passthrough mode, and then performing concurrent writes to the cached block. The fix involves checking if the pointer mg->cell is valid before attempting to unlock it, preventing the null pointer dereference.

Impact Analysis

This vulnerability can cause a kernel crash due to a null pointer dereference when concurrent writes occur on the same cached block in passthrough mode. Such crashes can lead to system instability, potential data loss, or denial of service as the affected system may become unresponsive or reboot unexpectedly.

Detection Guidance

This vulnerability can be detected by reproducing the conditions that trigger the null pointer dereference in the Linux kernel's dm-cache passthrough mode.

The following commands can be used to reproduce and detect the issue:

  • Create cache devices using dmsetup:
  • dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
  • dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
  • dmsetup create corig --table "0 262144 linear /dev/sdc 262144"
  • Initialize cache metadata with dd:
  • dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
  • Create the cache device:
  • dmsetup create cache --table "0 262144 cache /dev/mapper/cmeta /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
  • Promote the first data block into cache using fio:
  • fio --filename=/dev/mapper/cache --name=populate --rw=write --bs=4k --direct=1 --size=64k
  • Reload the cache into passthrough mode:
  • dmsetup suspend cache
  • dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0"
  • dmsetup resume cache
  • Write concurrently to the first cached block to trigger the issue:
  • fio --filename=/dev/mapper/cache --name test --rw=randwrite --bs=4k --randrepeat=0 --direct=1 --numjobs=2 --size 64k
Mitigation Strategies

The immediate mitigation step is to apply the fix that checks if the mg->cell pointer is valid before attempting to unlock it, preventing the null pointer dereference.

Practically, this means updating the Linux kernel to a version that includes this fix.

Until the fix is applied, avoid using dm-cache in passthrough mode with concurrent writes to the same cached block, as this triggers the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53064. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart