CVE-2026-53126
Received Received - Intake
Reference Leak in Linux Kernel blk-cgroup

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current() Add the missing put_disk() on the error path in blkcg_maybe_throttle_current(). When blkcg lookup, blkg lookup, or blkg_tryget() fails, the function jumps to the out label which only calls rcu_read_unlock() but does not release the disk reference acquired by blkcg_schedule_throttle() via get_device(). Since current->throttle_disk is already set to NULL before the lookup, blkcg_exit() cannot release this reference either, causing the disk to never be freed. Restore the reference release that was present as blk_put_queue() in the original code but was inadvertently dropped during the conversion from request_queue to gendisk.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53126
EUVD
EUVD-2026-38994
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a disk reference leak in the Linux kernel's blk-cgroup subsystem, specifically in the function blkcg_maybe_throttle_current().

When certain lookups (blkcg lookup, blkg lookup, or blkg_tryget()) fail, the function jumps to an error handling label that only unlocks a read-copy-update (RCU) read lock but does not release a disk reference that was previously acquired.

Because the current process's throttle_disk pointer is set to NULL before the lookup, the usual cleanup function blkcg_exit() cannot release this disk reference, causing the disk reference to never be freed.

The fix restores the missing release of this disk reference that was accidentally dropped during code changes converting from request_queue to gendisk.

Impact Analysis

This vulnerability can lead to a resource leak in the Linux kernel where disk references are not properly released.

Over time, this leak could cause increased memory or resource consumption related to disk management, potentially degrading system performance or stability.

In extreme cases, it might contribute to system resource exhaustion, which could affect the availability of disk-related operations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53126. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart