zram: fix use-after-free in zram_bvec_write_partial()

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-53185
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-06-25 09:16:35 UTC
Updated2026-06-25 09:16:35 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: zram: fix use-after-free in zram_bvec_write_partial() zram_read_page() picks the sync or async backing device read path based on whether the parent bio is NULL. zram_bvec_write_partial() passes its parent bio down, so for ZRAM_WB slots the read is dispatched asynchronously and zram_read_page() returns 0 while the bio is still in flight. The caller then runs memcpy_from_bvec(), zram_write_page() and __free_page() on the buffer, leaving the async read to write into a freed page. zram_bvec_read_partial() was switched to NULL in commit 4e3c87b9421d ("zram: fix synchronous reads") for the same reason; the write_partial counterpart was missed.

Risk And Classification

EPSS: 0.001750000 probability, percentile 0.072330000 (date 2026-06-26)

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 8e654f8fbff52ac483fb69957222853d7e2fc588 0c2821665ff71be3f4b07ecece384669f2877f6a git Not specified
CNA Linux Linux affected 8e654f8fbff52ac483fb69957222853d7e2fc588 77a602b505ce4802915853cfc435a4722fab3e64 git Not specified
CNA Linux Linux affected 8e654f8fbff52ac483fb69957222853d7e2fc588 c96786d6ff1acc1d54d9241e97767554c1dfdd5b git Not specified
CNA Linux Linux affected 8e654f8fbff52ac483fb69957222853d7e2fc588 198b5a14cca27263b9c14b20114c8092de15dfcb git Not specified
CNA Linux Linux affected 8e654f8fbff52ac483fb69957222853d7e2fc588 732fd9f0b9c1cdc6dfd77162ded60df005182cc0 git Not specified
CNA Linux Linux affected 4.14 Not specified
CNA Linux Linux unaffected 4.14 semver Not specified
CNA Linux Linux unaffected 6.6.143 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.94 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.36 6.18.* semver Not specified
CNA Linux Linux unaffected 7.0.13 7.0.* semver Not specified
CNA Linux Linux unaffected 7.1 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/0c2821665ff71be3f4b07ecece384669f2877f6a 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/198b5a14cca27263b9c14b20114c8092de15dfcb 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/732fd9f0b9c1cdc6dfd77162ded60df005182cc0 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/77a602b505ce4802915853cfc435a4722fab3e64 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/c96786d6ff1acc1d54d9241e97767554c1dfdd5b 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report