CVE-2026-53185
Received Received - Intake
BaseFortify

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: zram: fix use-after-free in zram_bvec_write_partial() zram_read_page() picks the sync or async backing device read path based on whether the parent bio is NULL. zram_bvec_write_partial() passes its parent bio down, so for ZRAM_WB slots the read is dispatched asynchronously and zram_read_page() returns 0 while the bio is still in flight. The caller then runs memcpy_from_bvec(), zram_write_page() and __free_page() on the buffer, leaving the async read to write into a freed page. zram_bvec_read_partial() was switched to NULL in commit 4e3c87b9421d ("zram: fix synchronous reads") for the same reason; the write_partial counterpart was missed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53185
EUVD
EUVD-2026-39276
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux_kernel zram *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free issue in the Linux kernel's zram component, specifically in the function zram_bvec_write_partial().

The problem arises because zram_read_page() chooses between synchronous or asynchronous read paths based on whether the parent bio is NULL. In the affected code, zram_bvec_write_partial() passes its parent bio down, causing reads for certain slots (ZRAM_WB) to be dispatched asynchronously.

As a result, zram_read_page() returns 0 while the asynchronous read is still in progress. Meanwhile, the caller proceeds to run memcpy_from_bvec(), zram_write_page(), and __free_page() on the buffer, which leads to the asynchronous read writing into a page that has already been freed.

This issue was fixed by switching zram_bvec_read_partial() to pass a NULL parent bio to ensure synchronous reads, but the write_partial counterpart was initially missed and later corrected.

Impact Analysis

This use-after-free vulnerability can lead to memory corruption within the Linux kernel's zram subsystem.

Memory corruption may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges.

Because it involves asynchronous reads writing to freed memory, it could be exploited to compromise system security or cause denial of service.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53185. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart