In the Linux kernel, the following vulnerability has been resolved:
futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock
When FUTEXCMPREQUEUEPI requeues a non-top waiter that already owns the target PI futex, taskblocksonrt_mutex() returns -EDEADLK before setting waiter->task.
The subsequent removewaiter() in rtmutexstartproxy_lock() dereferences the NULL waiter->task, causing a kernel crash.
Add a self-deadlock check for non-top waiters before calling rtmutexstartproxylock(), analogous to the top-waiter check in futexlockpi_atomic().
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53166.json",
"cna_assigner": "Linux"
}