ipc: limit next_id allocation to the valid ID range
Summary
| CVE | CVE-2026-52923 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-24 08:16:22 UTC |
| Updated | 2026-07-10 12:17:09 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: ipc: limit next_id allocation to the valid ID range The checkpoint/restore sysctl path can request the next SysV IPC id through ids->next_id. ipc_idr_alloc() currently forwards that request to idr_alloc() with an open-ended upper bound. If the valid tail of the SysV IPC id space is full, the allocation can spill beyond ipc_mni. The returned SysV IPC id still uses the normal index encoding, so later lookup and removal can target the wrong slot. This leaves the real IDR entry behind and breaks the IDR state for the object. The bug is in ipc_idr_alloc() in the checkpoint/restore path. 1. ids->next_id is passed to: idr_alloc(&ids->ipcs_idr, new, ipcid_to_idx(next_id), 0, ...) 2. The zero upper bound makes the allocation effectively open-ended. Once the valid SysV IPC tail is occupied, idr_alloc() can spill past ipc_mni and allocate an entry beyond the valid IPC id range. 3. The new object id is still encoded with the narrower SysV IPC index width: new->id = (new->seq << ipcmni_seq_shift()) + idx 4. Later removal goes through ipc_rmid(), which uses: ipcid_to_idx(ipcp->id) That truncates the real IDR index. An object actually stored at a high index can then be removed as if it lived at a low in-range index. 5. For shared memory, shm_destroy() frees the current object anyway, but the real high IDR slot is left behind as a dangling pointer. 6. A subsequent walk of /proc/sysvipc/shm reaches the stale IDR entry and dereferences freed memory. Prevent this by bounding the requested allocation to ipc_mni so the checkpoint/restore path fails once the valid range is exhausted. |
Risk And Classification
Primary CVSS: v3.1 5.8 MEDIUM from ADP
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
EPSS: 0.001250000 probability, percentile 0.026110000 (date 2026-07-09)
Problem Types: CWE-401 | CWE-825 | CWE-825 Expired Pointer Dereference
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | CVSS | 5.8 | MEDIUM | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H |
| 3.1 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | Secondary | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 5.8 | MEDIUM | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H |
| 3.1 | CNA | DECLARED | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
HighPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
LowIntegrity
LowAvailability
HighCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Linux | Linux Kernel | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 03f595668017f1a1fb971c02fc37140bc6e7bb1c 3bbe2bb9111ce6967a951bfac79af142d816fae5 git | Not specified |
| CNA | Linux | Linux | affected 03f595668017f1a1fb971c02fc37140bc6e7bb1c 8c58a92849175f5e2ab7bc2734b3b89afe79f6ef git | Not specified |
| CNA | Linux | Linux | affected 03f595668017f1a1fb971c02fc37140bc6e7bb1c af24e202b543ded8a34f1d5d3db54eb916173f04 git | Not specified |
| CNA | Linux | Linux | affected 03f595668017f1a1fb971c02fc37140bc6e7bb1c 157ce2c6836ce0ff19108a819f38df061345425f git | Not specified |
| CNA | Linux | Linux | affected 03f595668017f1a1fb971c02fc37140bc6e7bb1c 41058d4c3f63ab64901560a704882e0565f4e456 git | Not specified |
| CNA | Linux | Linux | affected 03f595668017f1a1fb971c02fc37140bc6e7bb1c a3cc795129e5ec0f8948653a3bf471e7d8852f5e git | Not specified |
| CNA | Linux | Linux | affected 03f595668017f1a1fb971c02fc37140bc6e7bb1c bd4be70669af55b974860d13680348cfdf50bbed git | Not specified |
| CNA | Linux | Linux | affected 03f595668017f1a1fb971c02fc37140bc6e7bb1c fa0b9b2b7ae3539908d69c2b9ac0d144d9bc5139 git | Not specified |
| CNA | Linux | Linux | affected 3.8 | Not specified |
| CNA | Linux | Linux | unaffected 3.8 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.10.259 5.10.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.210 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.176 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.143 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.93 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.35 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0.12 7.0.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.1 * original_commit_for_fix | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 10 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 6 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/41058d4c3f63ab64901560a704882e0565f4e456 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/bd4be70669af55b974860d13680348cfdf50bbed | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/af24e202b543ded8a34f1d5d3db54eb916173f04 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | Issue Tracking, Third Party Advisory |
| git.kernel.org/stable/c/a3cc795129e5ec0f8948653a3bf471e7d8852f5e | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/3bbe2bb9111ce6967a951bfac79af142d816fae5 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/157ce2c6836ce0ff19108a819f38df061345425f | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| access.redhat.com/security/cve/CVE-2026-52923 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | Third Party Advisory |
| git.kernel.org/stable/c/fa0b9b2b7ae3539908d69c2b9ac0d144d9bc5139 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/8c58a92849175f5e2ab7bc2734b3b89afe79f6ef | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52923.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-06-24T00:00:00.000Z | Reported to Red Hat. |
| ADP | 2026-06-24T00:00:00.000Z | Made public. |
There are currently no legacy QID mappings associated with this CVE.