In the Linux kernel, the following vulnerability has been resolved:
scsi: sg: Resolve soft lockup issue when opening /dev/sgX
The parameter defreservedsize defines the default buffer size reserved for each Sgfd and should be restricted to a range between 0 and 1,048,576 (see https://tldp.org/HOWTO/SCSI-Generic-HOWTO/proc.html). Although the function sgprocwritedressz enforces this limit, it is possible to bypass it by directly modifying the module parameter as shown below, which then causes a soft lockup:
echo -1 > /sys/module/sg/parameters/defreservedsize exec 4<> /dev/sg0
watchdog: BUG: soft lockup - CPU#5 stuck for 26 seconds! [bash:537] Modules loaded: CPU: 5 UID: 0 PID: 537 Command: bash, kernel version 6.19.0-rc3+ #134, PREEMPT disabled Hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS version 1.16.1-2.fc37 dated 04/01/2014 ... Call Trace:
sgbuildreserve+0x5c/0xa0 sgaddsfp+0x168/0x270 sgopen+0x16e/0x340 chrdevopen+0xbe/0x230 dodentryopen+0x175/0x480 vfsopen+0x34/0xf0 doopen+0x265/0x3d0 pathopenat+0x110/0x290 dofilpopen+0xc3/0x170 dosys_openat2+0x71/0xe0 __x64sysopenat+0x6d/0xa0 dosyscall64+0x62/0x310 entrySYSCALL64afterhwframe+0x76/0x7e
The fix is to use moduleparamcb to validate and reject invalid values assigned to defreservedsize.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53304.json",
"cna_assigner": "Linux"
}