CVE-2026-53304
Received Received - Intake
Soft Lockup in Linux Kernel SCSI Generic Module

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: scsi: sg: Resolve soft lockup issue when opening /dev/sgX The parameter def_reserved_size defines the default buffer size reserved for each Sg_fd and should be restricted to a range between 0 and 1,048,576 (see https://tldp.org/HOWTO/SCSI-Generic-HOWTO/proc.html). Although the function sg_proc_write_dressz enforces this limit, it is possible to bypass it by directly modifying the module parameter as shown below, which then causes a soft lockup: echo -1 > /sys/module/sg/parameters/def_reserved_size exec 4<> /dev/sg0 watchdog: BUG: soft lockup - CPU#5 stuck for 26 seconds! [bash:537] Modules loaded: CPU: 5 UID: 0 PID: 537 Command: bash, kernel version 6.19.0-rc3+ #134, PREEMPT disabled Hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS version 1.16.1-2.fc37 dated 04/01/2014 ... Call Trace: sg_build_reserve+0x5c/0xa0 sg_add_sfp+0x168/0x270 sg_open+0x16e/0x340 chrdev_open+0xbe/0x230 do_dentry_open+0x175/0x480 vfs_open+0x34/0xf0 do_open+0x265/0x3d0 path_openat+0x110/0x290 do_filp_open+0xc3/0x170 do_sys_openat2+0x71/0xe0 __x64_sys_openat+0x6d/0xa0 do_syscall_64+0x62/0x310 entry_SYSCALL_64_after_hwframe+0x76/0x7e The fix is to use module_param_cb to validate and reject invalid values assigned to def_reserved_size.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-53304
EUVD
EUVD-2026-39839
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel 6.19.0-rc3+
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's SCSI generic (sg) driver. It involves the parameter def_reserved_size, which sets the default buffer size reserved for each Sg_fd. Although the kernel function sg_proc_write_dressz enforces a limit on this parameter between 0 and 1,048,576, it is possible to bypass this limit by directly modifying the module parameter to an invalid value (e.g., -1).

By setting def_reserved_size to an invalid value, opening the /dev/sgX device can cause a soft lockup, where the CPU becomes stuck for an extended period, effectively freezing the system or process. The issue arises because the invalid buffer size leads to improper handling in the sg driver functions, causing the system to hang.

The vulnerability was fixed by adding validation using module_param_cb to reject invalid values assigned to def_reserved_size, preventing the soft lockup condition.

Impact Analysis

This vulnerability can cause a soft lockup in the Linux kernel when the /dev/sgX device is opened with an invalid buffer size parameter. A soft lockup means the CPU gets stuck for a significant amount of time, which can lead to system instability, unresponsiveness, or denial of service conditions.

If exploited, it could disrupt normal system operations, potentially affecting applications or services relying on the SCSI generic driver, causing them to hang or crash.

Detection Guidance

This vulnerability can be detected by checking if the module parameter def_reserved_size for the sg module has been set to an invalid value outside the allowed range (0 to 1,048,576). Specifically, if def_reserved_size is set to a negative value like -1, it can cause a soft lockup when opening /dev/sgX devices.

You can check the current value of def_reserved_size with the following command:

  • cat /sys/module/sg/parameters/def_reserved_size

If the value is outside the valid range, it indicates the vulnerability might be triggered.

Additionally, attempting to open /dev/sgX with an invalid def_reserved_size can cause a soft lockup, which can be observed in system logs or by running commands that open the device, for example:

  • exec 4<> /dev/sg0

Monitoring system logs for soft lockup messages related to the sg module or CPU stuck warnings can also help detect exploitation attempts.

Mitigation Strategies

To mitigate this vulnerability, ensure that the module parameter def_reserved_size for the sg module is set within the valid range of 0 to 1,048,576.

Avoid manually setting def_reserved_size to invalid values such as negative numbers.

If you have control over kernel module parameters, reset def_reserved_size to a safe value by running:

  • echo 65536 > /sys/module/sg/parameters/def_reserved_size

Additionally, update your Linux kernel to a version that includes the fix, which uses module_param_cb to validate and reject invalid values assigned to def_reserved_size.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53304. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart