efi/capsule-loader: fix incorrect sizeof in phys array reallocation
Summary
| CVE | CVE-2026-53047 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-24 17:17:16 UTC |
| Updated | 2026-06-24 17:17:16 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: efi/capsule-loader: fix incorrect sizeof in phys array reallocation The krealloc() call for cap_info->phys in __efi_capsule_setup_info() uses sizeof(phys_addr_t *) instead of sizeof(phys_addr_t), which might be causing an undersized allocation. The allocation is also inconsistent with the initial array allocation in efi_capsule_open() that allocates one entry with sizeof(phys_addr_t), and the efi_capsule_write() function that stores phys_addr_t values (not pointers) via page_to_phys(). On 64-bit systems where sizeof(phys_addr_t) == sizeof(phys_addr_t *), this goes unnoticed. On 32-bit systems with PAE where phys_addr_t is 64-bit but pointers are 32-bit, this allocates half the required space, which might lead to a heap buffer overflow when storing physical addresses. This is similar to the bug fixed in commit fccfa646ef36 ("efi/capsule-loader: fix incorrect allocation size") which fixed the same issue at the initial allocation site. |
Risk And Classification
EPSS: 0.001950000 probability, percentile 0.093570000 (date 2026-06-29)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected f24c4d478013d82bd1b943df566fff3561d52864 22022cd8851703a58f67615a17bc7e9e8682785b git | Not specified |
| CNA | Linux | Linux | affected f24c4d478013d82bd1b943df566fff3561d52864 67adde6bfdfd563a54b045d59aeb9a2d90c80697 git | Not specified |
| CNA | Linux | Linux | affected f24c4d478013d82bd1b943df566fff3561d52864 608e1f7bc9d171ab26c1fba288c97fc76363c27d git | Not specified |
| CNA | Linux | Linux | affected f24c4d478013d82bd1b943df566fff3561d52864 8be69e9245f805566bac68ffc8574b64735fd996 git | Not specified |
| CNA | Linux | Linux | affected f24c4d478013d82bd1b943df566fff3561d52864 5e185330d902b12fe8e6eb4b8514b5d736d8d66d git | Not specified |
| CNA | Linux | Linux | affected f24c4d478013d82bd1b943df566fff3561d52864 e0e6b14995fd6fa2c0df8c712d76ab32f0694c31 git | Not specified |
| CNA | Linux | Linux | affected f24c4d478013d82bd1b943df566fff3561d52864 ab3f7098a3a27175b91cfc947950f5c26855801b git | Not specified |
| CNA | Linux | Linux | affected f24c4d478013d82bd1b943df566fff3561d52864 48a428215782321b56956974f23593e40ce84b7a git | Not specified |
| CNA | Linux | Linux | affected 95a362c9a6892085f714eb6e31eea6a0e3aa93bf git | Not specified |
| CNA | Linux | Linux | affected 4.14.13 4.15 semver | Not specified |
| CNA | Linux | Linux | affected 4.15 | Not specified |
| CNA | Linux | Linux | unaffected 4.15 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.10.258 5.10.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.209 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.175 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.141 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.91 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.33 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0.10 7.0.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.1 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/67adde6bfdfd563a54b045d59aeb9a2d90c80697 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/22022cd8851703a58f67615a17bc7e9e8682785b | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/8be69e9245f805566bac68ffc8574b64735fd996 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/ab3f7098a3a27175b91cfc947950f5c26855801b | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/48a428215782321b56956974f23593e40ce84b7a | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/5e185330d902b12fe8e6eb4b8514b5d736d8d66d | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/608e1f7bc9d171ab26c1fba288c97fc76363c27d | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/e0e6b14995fd6fa2c0df8c712d76ab32f0694c31 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.