CVE-2026-53163

Source
https://cve.org/CVERecord?id=CVE-2026-53163
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53163.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53163
Downstream
Related
Published
2026-06-25T08:38:44.108Z
Modified
2026-07-09T04:44:19.741527426Z
Summary
locking/rtmutex: Skip remove_waiter() when waiter is not enqueued
Details

In the Linux kernel, the following vulnerability has been resolved:

locking/rtmutex: Skip remove_waiter() when waiter is not enqueued

syzbot triggered the following splat in removewaiter() via FUTEXCMPREQUEUEPI:

KASAN: null-ptr-deref in range [0x0000000000000a88-0x0000000000000a8f] classrawspinlockconstructor removewaiter+0x159/0x1200 kernel/locking/rtmutex.c:1561 rtmutexstartproxylock+0x103/0x120 futex_requeue+0x10e4/0x20d0 __x64sysfutex+0x34f/0x4d0

taskblocksonrtmutex() does not arm the waiter upon deadlock detection, leaving waiter->task nil, where 3bfdc63936dd ("rtmutex: Use waiter::task instead of current in remove_waiter()") made this fatal.

Furthermore, rtmutexstartproxylock() should not be calling into removewaiter() upon a successfully grabbing the rtmutex. 1a1fb985f2e2 ("futex: Handle early deadlock return correctly"), moved the removewaiter() out of __rtmutexstartproxylock() (where 'ret' was only ever 0 or < 0) into the wrapper. Tighten this check to account for trytotakertmutex().

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53163.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d8cce4773c2b23d819baf5abedc62f7b430e8745
Fixed
4afda3a1da02129568a3a2f1898aa13e6763bcba
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
8a1fc8d698ac5e5916e3082a0f74450d71f9611f
Fixed
6707d7e0b71748cb3cd95bad81dae5fe1b3c8f48
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6d52dfcb2a5db86e346cf51f8fcf2071b8085166
Fixed
5799f9bd7fee40370b93ab1ddf001cdc7017c14d
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
3fb7394a837740770f0d6b4b30567e60786a63f2
Fixed
a388e3dfaf9538a680de5ed43a8ebb5dd45b6e53
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
88614876370aac8ad1050ad785a4c095ba17ac11
Fixed
55363fa0a04524d11efeaadee734d2db1756ed27
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
3bfdc63936dd4773109b7b8c280c0f3b5ae7d349
Fixed
40a25d59e85b3c8709ac2424d44f65610467871e

Affected versions

v6.*
v6.1.175
v6.1.176
v6.12.86
v6.12.87
v6.12.88
v6.12.89
v6.12.90
v6.12.91
v6.12.92
v6.12.93
v6.12.94
v6.18.27
v6.18.28
v6.18.29
v6.18.30
v6.18.31
v6.18.32
v6.18.33
v6.18.34
v6.18.35
v6.6.140
v6.6.141
v6.6.142
v6.6.143
v7.*
v7.0.10
v7.0.11
v7.0.12
v7.0.4
v7.0.5
v7.0.6
v7.0.7
v7.0.8
v7.0.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53163.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.1.175
Fixed
6.1.177
Type
ECOSYSTEM
Events
Introduced
6.6.140
Fixed
6.6.144
Type
ECOSYSTEM
Events
Introduced
6.12.86
Fixed
6.12.95
Type
ECOSYSTEM
Events
Introduced
6.18.27
Fixed
6.18.36
Type
ECOSYSTEM
Events
Introduced
7.0.4
Fixed
7.0.13

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53163.json"