In the Linux kernel, the following vulnerability has been resolved:
misc: fastrpc: fix use-after-free race in fastrpcmapcreate
fastrpcmaplookup returns a raw pointer after releasing fl->lock. The caller fastrpcmapcreate then calls fastrpcmapget (krefgetunlesszero) on this unprotected pointer. A concurrent MEMUNMAP can free the map between the lock release and the kref operation, resulting in a use-after-free on the freed slab object.
Restore the takeref parameter to fastrpcmap_lookup so the reference is acquired atomically under fl->lock before the pointer is exposed to the caller.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53160.json",
"cna_assigner": "Linux"
}