CVE-2026-53165
Received Received - Intake
Null Pointer Dereference in Linux Kernel iomap

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: iomap: avoid potential null folio->mapping deref during error reporting When a buffered read fails, iomap_finish_folio_read() reports the error with fserror_report_io(folio->mapping->host, ...). This is called after ifs->read_bytes_pending has been decremented by the bytes attempted to be read. For a folio split across multiple read completions, the folio is only guaranteed to stay locked while read_bytes_pending > 0. Once iomap_finish_folio_read() decrements read_bytes_pending, another in-flight read can complete and end the read on the folio, which unlocks it. This allows truncate logic to run and detach the folio (set folio->mapping to NULL). The error reporting path then can dereference a NULL folio->mapping. As reported by Sam Sun, this is the race that can occur: CPU0: failed completion CPU1: final completion CPU2: truncate ----------------------- ---------------------- -------------- read_bytes_pending -= len finished = false /* preempted before fserror_report_io() */ read_bytes_pending -= len finished = true folio_end_read() truncate clears folio->mapping fserror_report_io( folio->mapping->host, ...) ^ NULL deref Fix this by reporting the error first before decrementing ifs->read_bytes_pending.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53165
EUVD
EUVD-2026-39256
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's iomap subsystem related to buffered reads. When a buffered read fails, an error is reported using a pointer to a folio's mapping. However, due to a race condition, the folio's mapping pointer can become NULL before the error reporting function is called, leading to a potential NULL pointer dereference.

Specifically, the issue arises because the error reporting function is called after decrementing a counter (read_bytes_pending). If multiple reads are happening concurrently on the same folio, one read can finish and unlock the folio, allowing truncate logic to clear the folio's mapping pointer. Then, when the error reporting function tries to access the folio's mapping, it dereferences a NULL pointer.

The fix involves changing the order of operations to report the error before decrementing the read_bytes_pending counter, preventing the race condition.

Impact Analysis

This vulnerability can cause a NULL pointer dereference in the Linux kernel, which may lead to a kernel crash or system instability.

Such crashes can result in denial of service (DoS) conditions, where the affected system becomes unresponsive or requires a reboot.

Mitigation Strategies

The vulnerability has been resolved in the Linux kernel by changing the order of operations in iomap_finish_folio_read() to report the error before decrementing read_bytes_pending. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53165. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart