CVE-2026-53304

Source
https://cve.org/CVERecord?id=CVE-2026-53304
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53304.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53304
Downstream
Published
2026-06-26T19:41:00.056Z
Modified
2026-07-08T08:07:25.165498406Z
Summary
scsi: sg: Resolve soft lockup issue when opening /dev/sgX
Details

In the Linux kernel, the following vulnerability has been resolved:

scsi: sg: Resolve soft lockup issue when opening /dev/sgX

The parameter defreservedsize defines the default buffer size reserved for each Sgfd and should be restricted to a range between 0 and 1,048,576 (see https://tldp.org/HOWTO/SCSI-Generic-HOWTO/proc.html). Although the function sgprocwritedressz enforces this limit, it is possible to bypass it by directly modifying the module parameter as shown below, which then causes a soft lockup:

echo -1 > /sys/module/sg/parameters/defreservedsize exec 4<> /dev/sg0

watchdog: BUG: soft lockup - CPU#5 stuck for 26 seconds! [bash:537] Modules loaded: CPU: 5 UID: 0 PID: 537 Command: bash, kernel version 6.19.0-rc3+ #134, PREEMPT disabled Hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS version 1.16.1-2.fc37 dated 04/01/2014 ... Call Trace:

sgbuildreserve+0x5c/0xa0 sgaddsfp+0x168/0x270 sgopen+0x16e/0x340 chrdevopen+0xbe/0x230 dodentryopen+0x175/0x480 vfsopen+0x34/0xf0 doopen+0x265/0x3d0 pathopenat+0x110/0x290 dofilpopen+0xc3/0x170 dosys_openat2+0x71/0xe0 __x64sysopenat+0x6d/0xa0 dosyscall64+0x62/0x310 entrySYSCALL64afterhwframe+0x76/0x7e

The fix is to use moduleparamcb to validate and reject invalid values assigned to defreservedsize.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53304.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6460e75a104d10458817d2f5b2fbff775bf0b43a
Fixed
3d74e0654ac908c65a8f20373091826fe43b1363
Fixed
c47ccfb3d80dfed522ca06a5954ac97488d78c5a
Fixed
fe671d3c84ffb1b763d590c25195755adeaadaba
Fixed
c5f4a211e82d04ccc1809311322c47023bbe66e2
Fixed
9676ca7b1ef31a3a65b3e61e7ce3b54ce7364202
Fixed
1afd963fcd963db0dc5d47df6dfcf010c9c4647e
Fixed
feade299e932967de27519338d41de348fb5b061
Fixed
d06a310b45e153872033dd0cf19d5a2279121099

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53304.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.19
Fixed
5.10.258
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.209
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.141
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.91
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.33
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53304.json"