CVE-2026-53324
Received Received - Intake
Debugfs Directory Naming Issue in Linux Kernel

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: mana: Use pci_name() for debugfs directory naming Use pci_name(pdev) for the per-device debugfs directory instead of hardcoded "0" for PFs and pci_slot_name(pdev->slot) for VFs. The previous approach had two issues: 1. pci_slot_name() dereferences pdev->slot, which can be NULL for VFs in environments like generic VFIO passthrough or nested KVM, causing a NULL pointer dereference. 2. Multiple PFs would all use "0", and VFs across different PCI domains or buses could share the same slot name, leading to -EEXIST errors from debugfs_create_dir(). pci_name(pdev) returns the unique BDF address, is always valid, and is unique across the system.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-53324
EUVD
EUVD-2026-39859
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's network component related to the mana driver. It involves how debugfs directories are named for PCI devices. Previously, the code used pci_slot_name(pdev->slot) for virtual functions (VFs) and a hardcoded "0" for physical functions (PFs). This caused two problems: first, pci_slot_name() could dereference a NULL pointer if pdev->slot was NULL in certain environments, leading to a crash. Second, multiple PFs would share the same directory name "0", and VFs across different PCI domains or buses could have duplicate slot names, causing errors when creating debugfs directories.

The fix changes the naming to use pci_name(pdev), which returns a unique and always valid BDF (Bus:Device.Function) address for each device, preventing NULL pointer dereferences and naming collisions.

Impact Analysis

This vulnerability can cause system instability or crashes due to NULL pointer dereferences when handling virtual functions in certain environments like VFIO passthrough or nested KVM. Additionally, it can lead to errors when creating debugfs directories because of naming collisions between physical and virtual functions, potentially impacting debugging and system monitoring processes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53324. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart