CVE-2026-53163
Received Received - Intake
Null Pointer Dereference in Linux Kernel RT Mutex

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: locking/rtmutex: Skip remove_waiter() when waiter is not enqueued syzbot triggered the following splat in remove_waiter() via FUTEX_CMP_REQUEUE_PI: KASAN: null-ptr-deref in range [0x0000000000000a88-0x0000000000000a8f] class_raw_spinlock_constructor remove_waiter+0x159/0x1200 kernel/locking/rtmutex.c:1561 rt_mutex_start_proxy_lock+0x103/0x120 futex_requeue+0x10e4/0x20d0 __x64_sys_futex+0x34f/0x4d0 task_blocks_on_rt_mutex() does not arm the waiter upon deadlock detection, leaving waiter->task nil, where 3bfdc63936dd ("rtmutex: Use waiter::task instead of current in remove_waiter()") made this fatal. Furthermore, rt_mutex_start_proxy_lock() should not be calling into remove_waiter() upon a successfully grabbing the rtmutex. 1a1fb985f2e2 ("futex: Handle early deadlock return correctly"), moved the remove_waiter() out of __rt_mutex_start_proxy_lock() (where 'ret' was only ever 0 or < 0) into the wrapper. Tighten this check to account for try_to_take_rt_mutex().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53163
EUVD
EUVD-2026-39254
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's real-time mutex (rtmutex) locking mechanism. Specifically, it involves the function remove_waiter() being called incorrectly when a waiter is not enqueued, which can lead to a null pointer dereference. The issue arises because task_blocks_on_rt_mutex() does not properly arm the waiter upon deadlock detection, leaving the waiter task pointer nil. Changes in the kernel code made remove_waiter() fatal in this scenario. Additionally, the function rt_mutex_start_proxy_lock() was calling remove_waiter() even after successfully grabbing the rtmutex, which is incorrect behavior.

Impact Analysis

This vulnerability can cause a kernel crash due to a null pointer dereference in the Linux kernel's locking mechanism. Such a crash can lead to system instability, denial of service, or unexpected reboots, impacting the availability and reliability of systems running affected Linux kernel versions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53163. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart