CVE-2026-53341
Received Received - Intake

Use-After-Free in Linux Kernel mnt_ns Access

Vulnerability report for CVE-2026-53341, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: fhandle: fix UAF due to unlocked ->mnt_ns read in may_decode_fh() may_decode_fh() accesses mount::mnt_ns without holding any locks; that means the mount can concurrently be unmounted, and the mnt_namespace can concurrently be freed after an RCU grace period. This race can happens as follows, assuming that the mount point was created by open_tree(..., OPEN_TREE_CLONE): thread 1 thread 2 RCU __do_sys_open_by_handle_at do_handle_open handle_to_path may_decode_fh is_mounted [mount::mnt_ns access] [mount::mnt_ns access] __do_sys_close fput_close_sync __fput dissolve_on_fput umount_tree class_namespace_excl_destructor namespace_unlock free_mnt_ns mnt_ns_tree_remove call_rcu(mnt_ns_release_rcu) mnt_ns_release_rcu mnt_ns_release kfree [mnt_namespace::user_ns access] **UAF** Fix it by taking rcu_read_lock() around the mount::mnt_ns access, like in __prepend_path(). Additionally, document the semantics of mount::mnt_ns, and use WRITE_ONCE() for writers that can race with lockless readers. This bug is unreachable unless one of the following is set: - CONFIG_PREEMPTION - CONFIG_RCU_STRICT_GRACE_PERIOD because it requires an RCU grace period to happen during a syscall without an explicit preemption. This doesn't seem to have interesting security impact; worst-case, it could leak the result of an integer comparison to userspace (from the level check in cap_capable()), cause an endless loop, or crash the kernel by dereferencing an invalid address.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free (UAF) bug in the Linux kernel related to the handling of mount namespaces in the function may_decode_fh().

The function may_decode_fh() accesses the mount namespace (mnt_ns) without holding any locks, which means the mount point can be unmounted concurrently, and the mount namespace can be freed after a Read-Copy-Update (RCU) grace period.

This race condition can lead to accessing freed memory (use-after-free), potentially causing kernel crashes or other unintended behavior.

The issue occurs only if certain kernel configurations are enabled (CONFIG_PREEMPTION or CONFIG_RCU_STRICT_GRACE_PERIOD) because it requires an RCU grace period during a syscall without explicit preemption.

The fix involves adding proper RCU read locks around the mount namespace access and using WRITE_ONCE() to prevent race conditions between writers and lockless readers.

Impact Analysis

The vulnerability does not appear to have significant security impact.

At worst, it could leak the result of an integer comparison to userspace, cause an endless loop, or crash the kernel by dereferencing an invalid address.

Such impacts could lead to system instability or denial of service but are unlikely to result in privilege escalation or data compromise.

Mitigation Strategies

The vulnerability is fixed by ensuring that rcu_read_lock() is taken around the mount::mnt_ns access, similar to the approach used in __prepend_path().

Additionally, the semantics of mount::mnt_ns should be documented, and WRITE_ONCE() should be used for writers that can race with lockless readers.

Since the bug requires either CONFIG_PREEMPTION or CONFIG_RCU_STRICT_GRACE_PERIOD to be set, verifying kernel configuration and applying the patch or updated kernel version that includes this fix is recommended.

Compliance Impact

The provided information does not indicate any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

The vulnerability is described as a use-after-free (UAF) bug in the Linux kernel related to mount namespace handling, which could potentially cause kernel crashes or leaks of minor information like the result of an integer comparison.

However, it is explicitly stated that this bug does not seem to have interesting security impact, implying no direct data breach or exposure that would typically affect regulatory compliance.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53341. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart