CVE-2026-53166
Received Received - Intake
NULL Pointer Dereference in Linux Kernel Futex

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock When FUTEX_CMP_REQUEUE_PI requeues a non-top waiter that already owns the target PI futex, task_blocks_on_rt_mutex() returns -EDEADLK before setting waiter->task. The subsequent remove_waiter() in rt_mutex_start_proxy_lock() dereferences the NULL waiter->task, causing a kernel crash. Add a self-deadlock check for non-top waiters before calling rt_mutex_start_proxy_lock(), analogous to the top-waiter check in futex_lock_pi_atomic().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53166
EUVD
EUVD-2026-39257
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's futex subsystem, specifically in the futex/requeue functionality. It involves a NULL pointer dereference in the remove_waiter() function caused by a self-deadlock scenario. When the FUTEX_CMP_REQUEUE_PI operation requeues a non-top waiter that already owns the target PI futex, a function called task_blocks_on_rt_mutex() returns an error (-EDEADLK) before properly setting the waiter->task pointer. Later, remove_waiter() tries to dereference this NULL pointer, leading to a kernel crash.

The fix involves adding a self-deadlock check for non-top waiters before calling rt_mutex_start_proxy_lock(), similar to the existing check for top waiters, to prevent the NULL pointer dereference and subsequent crash.

Impact Analysis

This vulnerability can cause a kernel crash due to a NULL pointer dereference in the futex subsystem. A kernel crash can lead to system instability, denial of service, and potential loss of data or availability. Systems affected by this vulnerability may unexpectedly reboot or become unresponsive, impacting reliability and uptime.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53166. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart