CVE-2026-53162
Received Received - Intake
Memory Corruption in Linux Kernel via NMI Context

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: memcg: use round-robin victim selection in refill_stock Harry Yoo reported that get_random_u32_below() is not safe to call in the nmi context and memcg charge draining can happen in nmi context. More specifically get_random_u32_below() is neither reentrant- nor NMI-safe: it acquires a per-cpu local_lock via local_lock_irqsave() on the batched_entropy_u32 state. An NMI that lands on a CPU mid-update of the ChaCha batch state and recurses into the random subsystem would corrupt that state. The memcg_stock local_trylock prevents re-entry on the percpu stock itself, but cannot protect an unrelated subsystem's per-cpu lock. Replace the random pick with a per-cpu round-robin counter stored in memcg_stock_pcp and serialized by the same local_trylock that already guards cached[] and nr_pages[]. No atomics, no random calls, no extra locks needed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53162
EUVD
EUVD-2026-39253
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to corruption of the random number generator's internal state when called in an unsafe context, potentially causing unpredictable behavior in the kernel's memory control group (memcg) charge draining process. Such corruption could affect system stability or reliability, especially in environments relying on accurate memory resource management.

Executive Summary

This vulnerability in the Linux kernel involves the use of the function get_random_u32_below() in a non-maskable interrupt (NMI) context, which is unsafe. The function is neither reentrant nor NMI-safe because it acquires a per-CPU local lock on the batched_entropy_u32 state. If an NMI occurs while the ChaCha batch state is being updated and recurses into the random subsystem, it can corrupt that state.

The vulnerability arises because the memcg_stock local_trylock only prevents re-entry on the per-CPU stock itself but cannot protect unrelated subsystems' per-CPU locks, such as the one used by get_random_u32_below(). The fix replaces the random victim selection with a per-CPU round-robin counter serialized by the existing local_trylock, eliminating the need for random calls or extra locks.

Mitigation Strategies

The vulnerability has been resolved by updating the Linux kernel to replace the unsafe get_random_u32_below() call in the memcg charge draining code with a safer per-cpu round-robin counter mechanism.

Therefore, the immediate step to mitigate this vulnerability is to update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53162. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart