In the Linux kernel, the following vulnerability has been resolved:
locking/rtmutex: Skip remove_waiter() when waiter is not enqueued
syzbot triggered the following splat in removewaiter() via FUTEXCMPREQUEUEPI:
KASAN: null-ptr-deref in range [0x0000000000000a88-0x0000000000000a8f] classrawspinlockconstructor removewaiter+0x159/0x1200 kernel/locking/rtmutex.c:1561 rtmutexstartproxylock+0x103/0x120 futex_requeue+0x10e4/0x20d0 __x64sysfutex+0x34f/0x4d0
taskblocksonrtmutex() does not arm the waiter upon deadlock detection, leaving waiter->task nil, where 3bfdc63936dd ("rtmutex: Use waiter::task instead of current in remove_waiter()") made this fatal.
Furthermore, rtmutexstartproxylock() should not be calling into removewaiter() upon a successfully grabbing the rtmutex. 1a1fb985f2e2 ("futex: Handle early deadlock return correctly"), moved the removewaiter() out of __rtmutexstartproxylock() (where 'ret' was only ever 0 or < 0) into the wrapper. Tighten this check to account for trytotakertmutex().
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53163.json",
"cna_assigner": "Linux"
}