CVE-2026-53165

Source
https://cve.org/CVERecord?id=CVE-2026-53165
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53165.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53165
Downstream
Published
2026-06-25T08:38:45.445Z
Modified
2026-07-09T03:52:15.617990382Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
iomap: avoid potential null folio->mapping deref during error reporting
Details

In the Linux kernel, the following vulnerability has been resolved:

iomap: avoid potential null folio->mapping deref during error reporting

When a buffered read fails, iomapfinishfolioread() reports the error with fserrorreportio(folio->mapping->host, ...). This is called after ifs->readbytes_pending has been decremented by the bytes attempted to be read.

For a folio split across multiple read completions, the folio is only guaranteed to stay locked while readbytespending > 0. Once iomapfinishfolioread() decrements readbytes_pending, another in-flight read can complete and end the read on the folio, which unlocks it. This allows truncate logic to run and detach the folio (set folio->mapping to NULL). The error reporting path then can dereference a NULL folio->mapping. As reported by Sam Sun, this is the race that can occur:

CPU0: failed completion CPU1: final completion CPU2: truncate ----------------------- ---------------------- -------------- readbytespending -= len finished = false /* preempted before fserrorreportio() */ readbytespending -= len finished = true folioendread() truncate clears folio->mapping fserrorreportio( folio->mapping->host, ...) ^ NULL deref

Fix this by reporting the error first before decrementing ifs->readbytespending.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53165.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a9d573ee88af980f14fdadb5c12bbf6a195fb3f1
Fixed
1ad453817a4077230d1ba88eb0868f05f824449a
Fixed
2eea7f44b9c8b42fd7d3a1a87c06a7cd1b99c327

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53165.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.0.0
Fixed
7.0.13

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53165.json"