CVE-2026-53067
Received Received - Intake
PCI Endpoint MSI Double Free in Linux Kernel

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: pci-ep-msi: Fix error unwind and prevent double alloc pci_epf_alloc_doorbell() stores the allocated doorbell message array in epf->db_msg/epf->num_db before requesting MSI vectors. If MSI allocation fails, the array is freed but the EPF state may still point to freed memory. Clear epf->db_msg and epf->num_db on the MSI allocation failure path so that later cleanup cannot double-free the array and callers can retry allocation. Also return -EBUSY when doorbells have already been allocated to prevent leaking or overwriting an existing allocation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53067
EUVD
EUVD-2026-38935
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's PCI endpoint driver pci-ep-msi. The function pci_epf_alloc_doorbell() allocates a doorbell message array and stores it in the endpoint function's state before requesting MSI (Message Signaled Interrupts) vectors. If the MSI allocation fails, the allocated array is freed, but the endpoint function's state still points to the freed memory. This can lead to a double-free error during cleanup or attempts to retry allocation.

The fix involves clearing the pointers to the doorbell message array and its count on MSI allocation failure, preventing double-free errors and allowing safe retries. Additionally, the function now returns an error (-EBUSY) if doorbells have already been allocated, preventing leaks or overwriting existing allocations.

Impact Analysis

This vulnerability can lead to memory corruption in the Linux kernel due to double-free errors or use-after-free conditions. Such memory corruption can cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges if exploited.

In practical terms, this could compromise the reliability and security of systems running vulnerable versions of the Linux kernel, especially those using PCI endpoint functions with MSI doorbell allocations.

Mitigation Strategies

The vulnerability has been resolved in the Linux kernel by fixing the pci-ep-msi endpoint to properly handle MSI allocation failures and prevent double freeing of memory.

To mitigate this vulnerability, you should update your Linux kernel to the version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53067. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart