locking/rtmutex: Skip remove_waiter() when waiter is not enqueued

Summary

CVECVE-2026-53163
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-06-25 09:16:33 UTC
Updated2026-07-04 12:16:59 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: locking/rtmutex: Skip remove_waiter() when waiter is not enqueued syzbot triggered the following splat in remove_waiter() via FUTEX_CMP_REQUEUE_PI: KASAN: null-ptr-deref in range [0x0000000000000a88-0x0000000000000a8f] class_raw_spinlock_constructor remove_waiter+0x159/0x1200 kernel/locking/rtmutex.c:1561 rt_mutex_start_proxy_lock+0x103/0x120 futex_requeue+0x10e4/0x20d0 __x64_sys_futex+0x34f/0x4d0 task_blocks_on_rt_mutex() does not arm the waiter upon deadlock detection, leaving waiter->task nil, where 3bfdc63936dd ("rtmutex: Use waiter::task instead of current in remove_waiter()") made this fatal. Furthermore, rt_mutex_start_proxy_lock() should not be calling into remove_waiter() upon a successfully grabbing the rtmutex. 1a1fb985f2e2 ("futex: Handle early deadlock return correctly"), moved the remove_waiter() out of __rt_mutex_start_proxy_lock() (where 'ret' was only ever 0 or < 0) into the wrapper. Tighten this check to account for try_to_take_rt_mutex().

Risk And Classification

EPSS: 0.001730000 probability, percentile 0.070010000 (date 2026-07-03)

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected d8cce4773c2b23d819baf5abedc62f7b430e8745 4afda3a1da02129568a3a2f1898aa13e6763bcba git Not specified
CNA Linux Linux affected 8a1fc8d698ac5e5916e3082a0f74450d71f9611f 6707d7e0b71748cb3cd95bad81dae5fe1b3c8f48 git Not specified
CNA Linux Linux affected 6d52dfcb2a5db86e346cf51f8fcf2071b8085166 5799f9bd7fee40370b93ab1ddf001cdc7017c14d git Not specified
CNA Linux Linux affected 3fb7394a837740770f0d6b4b30567e60786a63f2 a388e3dfaf9538a680de5ed43a8ebb5dd45b6e53 git Not specified
CNA Linux Linux affected 88614876370aac8ad1050ad785a4c095ba17ac11 55363fa0a04524d11efeaadee734d2db1756ed27 git Not specified
CNA Linux Linux affected 3bfdc63936dd4773109b7b8c280c0f3b5ae7d349 40a25d59e85b3c8709ac2424d44f65610467871e git Not specified
CNA Linux Linux affected 6.1.175 6.1.177 semver Not specified
CNA Linux Linux affected 6.6.140 6.6.144 semver Not specified
CNA Linux Linux affected 6.12.86 6.12.95 semver Not specified
CNA Linux Linux affected 6.18.27 6.18.36 semver Not specified
CNA Linux Linux affected 7.0.4 7.0.13 semver Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/6707d7e0b71748cb3cd95bad81dae5fe1b3c8f48 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/4afda3a1da02129568a3a2f1898aa13e6763bcba 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/55363fa0a04524d11efeaadee734d2db1756ed27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/5799f9bd7fee40370b93ab1ddf001cdc7017c14d 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/a388e3dfaf9538a680de5ed43a8ebb5dd45b6e53 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/40a25d59e85b3c8709ac2424d44f65610467871e 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report