CVE-2026-53163
Analyzed Analyzed - Analysis Complete

Null Pointer Dereference in Linux Kernel RT Mutex

Vulnerability report for CVE-2026-53163, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-07-07

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: locking/rtmutex: Skip remove_waiter() when waiter is not enqueued syzbot triggered the following splat in remove_waiter() via FUTEX_CMP_REQUEUE_PI: KASAN: null-ptr-deref in range [0x0000000000000a88-0x0000000000000a8f] class_raw_spinlock_constructor remove_waiter+0x159/0x1200 kernel/locking/rtmutex.c:1561 rt_mutex_start_proxy_lock+0x103/0x120 futex_requeue+0x10e4/0x20d0 __x64_sys_futex+0x34f/0x4d0 task_blocks_on_rt_mutex() does not arm the waiter upon deadlock detection, leaving waiter->task nil, where 3bfdc63936dd ("rtmutex: Use waiter::task instead of current in remove_waiter()") made this fatal. Furthermore, rt_mutex_start_proxy_lock() should not be calling into remove_waiter() upon a successfully grabbing the rtmutex. 1a1fb985f2e2 ("futex: Handle early deadlock return correctly"), moved the remove_waiter() out of __rt_mutex_start_proxy_lock() (where 'ret' was only ever 0 or < 0) into the wrapper. Tighten this check to account for try_to_take_rt_mutex().

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-07-07
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 11 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.18.27 (inc) to 6.18.36 (exc)
linux linux_kernel From 7.0.4 (inc) to 7.0.13 (exc)
linux linux_kernel From 6.1.175 (inc) to 6.1.177 (exc)
linux linux_kernel From 6.12.86 (inc) to 6.12.95 (exc)
linux linux_kernel From 6.6.140 (inc) to 6.6.144 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's real-time mutex (rtmutex) locking mechanism. Specifically, it involves the function remove_waiter() being called incorrectly when a waiter is not enqueued, which can lead to a null pointer dereference. The issue arises because task_blocks_on_rt_mutex() does not properly arm the waiter upon deadlock detection, leaving the waiter task pointer nil. Changes in the kernel code made remove_waiter() fatal in this scenario. Additionally, the function rt_mutex_start_proxy_lock() was calling remove_waiter() even after successfully grabbing the rtmutex, which is incorrect behavior.

Impact Analysis

This vulnerability can cause a kernel crash due to a null pointer dereference in the Linux kernel's locking mechanism. Such a crash can lead to system instability, denial of service, or unexpected reboots, impacting the availability and reliability of systems running affected Linux kernel versions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53163. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart