CVE-2026-53190
Received Received - Intake
DMA Fence Reference Leak in Linux Kernel

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drm/virtio: fix dma_fence refcount leak on error in virtio_gpu_dma_fence_wait() dma_fence_unwrap_for_each() internally calls dma_fence_unwrap_first() which does cursor->chain = dma_fence_get(head), taking an extra reference. On normal loop completion, dma_fence_unwrap_next() releases this via dma_fence_chain_walk() -> dma_fence_put(). When virtio_gpu_do_fence_wait() fails and the function returns early from inside the loop, the cursor->chain reference is never released. This is the only caller in the entire kernel that does an early return inside dma_fence_unwrap_for_each. Add dma_fence_put(itr.chain) before the early return.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53190
EUVD
EUVD-2026-39281
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a reference count leak in the Linux kernel's drm/virtio component related to dma_fence handling. Specifically, during the execution of the function virtio_gpu_dma_fence_wait(), an early return on error causes a reference to a dma_fence object to not be released properly. Normally, dma_fence_unwrap_for_each() manages reference counting correctly by acquiring and releasing references during its loop. However, when virtio_gpu_do_fence_wait() fails and returns early inside this loop, the reference count is not decremented, leading to a leak.

Impact Analysis

The impact of this vulnerability is a resource leak in the Linux kernel's graphics virtualization subsystem. The unreleased reference count can cause memory or resource exhaustion over time if the error condition triggering the early return occurs frequently. This may degrade system stability or performance, potentially leading to crashes or denial of service in environments relying on virtio GPU virtualization.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53190. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart