efi/capsule-loader: fix incorrect sizeof in phys array reallocation

Summary

CVECVE-2026-53047
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-06-24 17:17:16 UTC
Updated2026-06-24 17:17:16 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: efi/capsule-loader: fix incorrect sizeof in phys array reallocation The krealloc() call for cap_info->phys in __efi_capsule_setup_info() uses sizeof(phys_addr_t *) instead of sizeof(phys_addr_t), which might be causing an undersized allocation. The allocation is also inconsistent with the initial array allocation in efi_capsule_open() that allocates one entry with sizeof(phys_addr_t), and the efi_capsule_write() function that stores phys_addr_t values (not pointers) via page_to_phys(). On 64-bit systems where sizeof(phys_addr_t) == sizeof(phys_addr_t *), this goes unnoticed. On 32-bit systems with PAE where phys_addr_t is 64-bit but pointers are 32-bit, this allocates half the required space, which might lead to a heap buffer overflow when storing physical addresses. This is similar to the bug fixed in commit fccfa646ef36 ("efi/capsule-loader: fix incorrect allocation size") which fixed the same issue at the initial allocation site.

Risk And Classification

EPSS: 0.001950000 probability, percentile 0.093570000 (date 2026-06-29)

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected f24c4d478013d82bd1b943df566fff3561d52864 22022cd8851703a58f67615a17bc7e9e8682785b git Not specified
CNA Linux Linux affected f24c4d478013d82bd1b943df566fff3561d52864 67adde6bfdfd563a54b045d59aeb9a2d90c80697 git Not specified
CNA Linux Linux affected f24c4d478013d82bd1b943df566fff3561d52864 608e1f7bc9d171ab26c1fba288c97fc76363c27d git Not specified
CNA Linux Linux affected f24c4d478013d82bd1b943df566fff3561d52864 8be69e9245f805566bac68ffc8574b64735fd996 git Not specified
CNA Linux Linux affected f24c4d478013d82bd1b943df566fff3561d52864 5e185330d902b12fe8e6eb4b8514b5d736d8d66d git Not specified
CNA Linux Linux affected f24c4d478013d82bd1b943df566fff3561d52864 e0e6b14995fd6fa2c0df8c712d76ab32f0694c31 git Not specified
CNA Linux Linux affected f24c4d478013d82bd1b943df566fff3561d52864 ab3f7098a3a27175b91cfc947950f5c26855801b git Not specified
CNA Linux Linux affected f24c4d478013d82bd1b943df566fff3561d52864 48a428215782321b56956974f23593e40ce84b7a git Not specified
CNA Linux Linux affected 95a362c9a6892085f714eb6e31eea6a0e3aa93bf git Not specified
CNA Linux Linux affected 4.14.13 4.15 semver Not specified
CNA Linux Linux affected 4.15 Not specified
CNA Linux Linux unaffected 4.15 semver Not specified
CNA Linux Linux unaffected 5.10.258 5.10.* semver Not specified
CNA Linux Linux unaffected 5.15.209 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.175 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.141 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.91 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.33 6.18.* semver Not specified
CNA Linux Linux unaffected 7.0.10 7.0.* semver Not specified
CNA Linux Linux unaffected 7.1 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/67adde6bfdfd563a54b045d59aeb9a2d90c80697 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/22022cd8851703a58f67615a17bc7e9e8682785b 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/8be69e9245f805566bac68ffc8574b64735fd996 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/ab3f7098a3a27175b91cfc947950f5c26855801b 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/48a428215782321b56956974f23593e40ce84b7a 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/5e185330d902b12fe8e6eb4b8514b5d736d8d66d 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/608e1f7bc9d171ab26c1fba288c97fc76363c27d 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/e0e6b14995fd6fa2c0df8c712d76ab32f0694c31 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report