{"api_version":"1","generated_at":"2026-07-12T22:35:22+00:00","cve":"CVE-2026-52923","urls":{"html":"https://cve.report/CVE-2026-52923","api":"https://cve.report/api/cve/CVE-2026-52923.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-52923","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-52923"},"summary":{"title":"ipc: limit next_id allocation to the valid ID range","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nipc: limit next_id allocation to the valid ID range\n\nThe checkpoint/restore sysctl path can request the next SysV IPC id\nthrough ids->next_id.  ipc_idr_alloc() currently forwards that request to\nidr_alloc() with an open-ended upper bound.\n\nIf the valid tail of the SysV IPC id space is full, the allocation can\nspill beyond ipc_mni.  The returned SysV IPC id still uses the normal\nindex encoding, so later lookup and removal can target the wrong slot. \nThis leaves the real IDR entry behind and breaks the IDR state for the\nobject.\n\nThe bug is in ipc_idr_alloc() in the checkpoint/restore path.\n\n1. ids->next_id is passed to:\n\n       idr_alloc(&ids->ipcs_idr, new, ipcid_to_idx(next_id), 0, ...)\n\n2. The zero upper bound makes the allocation effectively open-ended.\n   Once the valid SysV IPC tail is occupied, idr_alloc() can spill past\n   ipc_mni and allocate an entry beyond the valid IPC id range.\n\n3. The new object id is still encoded with the narrower SysV IPC index\n   width:\n\n       new->id = (new->seq << ipcmni_seq_shift()) + idx\n\n4. Later removal goes through ipc_rmid(), which uses:\n\n       ipcid_to_idx(ipcp->id)\n\n   That truncates the real IDR index. An object actually stored at a\n   high index can then be removed as if it lived at a low in-range\n   index.\n\n5. For shared memory, shm_destroy() frees the current object anyway, but\n   the real high IDR slot is left behind as a dangling pointer.\n\n6. A subsequent walk of /proc/sysvipc/shm reaches the stale IDR entry\n   and dereferences freed memory.\n\nPrevent this by bounding the requested allocation to ipc_mni so the\ncheckpoint/restore path fails once the valid range is exhausted.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-06-24 08:16:22","updated_at":"2026-07-10 12:17:09"},"problem_types":["CWE-401","CWE-825","CWE-825 Expired Pointer Dereference"],"metrics":[{"version":"3.1","source":"ADP","type":"CVSS","score":"5.8","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H","data":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":5.8,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H","version":"3.1"}},{"version":"3.1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","score":"7.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","score":"5.8","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H","baseScore":5.8,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"7.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"baseScore":7.8,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://git.kernel.org/stable/c/41058d4c3f63ab64901560a704882e0565f4e456","name":"https://git.kernel.org/stable/c/41058d4c3f63ab64901560a704882e0565f4e456","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/bd4be70669af55b974860d13680348cfdf50bbed","name":"https://git.kernel.org/stable/c/bd4be70669af55b974860d13680348cfdf50bbed","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/af24e202b543ded8a34f1d5d3db54eb916173f04","name":"https://git.kernel.org/stable/c/af24e202b543ded8a34f1d5d3db54eb916173f04","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2492094","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2492094","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":["Issue Tracking","Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/a3cc795129e5ec0f8948653a3bf471e7d8852f5e","name":"https://git.kernel.org/stable/c/a3cc795129e5ec0f8948653a3bf471e7d8852f5e","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/3bbe2bb9111ce6967a951bfac79af142d816fae5","name":"https://git.kernel.org/stable/c/3bbe2bb9111ce6967a951bfac79af142d816fae5","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/157ce2c6836ce0ff19108a819f38df061345425f","name":"https://git.kernel.org/stable/c/157ce2c6836ce0ff19108a819f38df061345425f","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/security/cve/CVE-2026-52923","name":"https://access.redhat.com/security/cve/CVE-2026-52923","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":["Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/fa0b9b2b7ae3539908d69c2b9ac0d144d9bc5139","name":"https://git.kernel.org/stable/c/fa0b9b2b7ae3539908d69c2b9ac0d144d9bc5139","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/8c58a92849175f5e2ab7bc2734b3b89afe79f6ef","name":"https://git.kernel.org/stable/c/8c58a92849175f5e2ab7bc2734b3b89afe79f6ef","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52923.json","name":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52923.json","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":["Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-52923","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-52923","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 03f595668017f1a1fb971c02fc37140bc6e7bb1c 3bbe2bb9111ce6967a951bfac79af142d816fae5 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 03f595668017f1a1fb971c02fc37140bc6e7bb1c 8c58a92849175f5e2ab7bc2734b3b89afe79f6ef git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 03f595668017f1a1fb971c02fc37140bc6e7bb1c af24e202b543ded8a34f1d5d3db54eb916173f04 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 03f595668017f1a1fb971c02fc37140bc6e7bb1c 157ce2c6836ce0ff19108a819f38df061345425f git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 03f595668017f1a1fb971c02fc37140bc6e7bb1c 41058d4c3f63ab64901560a704882e0565f4e456 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 03f595668017f1a1fb971c02fc37140bc6e7bb1c a3cc795129e5ec0f8948653a3bf471e7d8852f5e git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 03f595668017f1a1fb971c02fc37140bc6e7bb1c bd4be70669af55b974860d13680348cfdf50bbed git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 03f595668017f1a1fb971c02fc37140bc6e7bb1c fa0b9b2b7ae3539908d69c2b9ac0d144d9bc5139 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3.8","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 3.8 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.259 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.210 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.176 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.143 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.93 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.35 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.12 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1 * original_commit_for_fix","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux 10","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux 7","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux 8","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux 9","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux 6","version":"","platforms":[]}],"timeline":[{"source":"ADP","time":"2026-06-24T00:00:00.000Z","lang":"en","value":"Reported to Red Hat."},{"source":"ADP","time":"2026-06-24T00:00:00.000Z","lang":"en","value":"Made public."}],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"52923","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"52923","cve":"CVE-2026-52923","epss":"0.001250000","percentile":"0.026110000","score_date":"2026-07-09","updated_at":"2026-07-10 00:08:29"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"affected":[{"cpes":["cpe:/o:redhat:enterprise_linux:10"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 10","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:7"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 7","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:8"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 8","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:9"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 9","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:6"],"defaultStatus":"unknown","product":"Red Hat Enterprise Linux 6","vendor":"Red Hat"}],"datePublic":"2026-06-24T00:00:00.000Z","descriptions":[{"lang":"en","value":"A flaw was found in the Linux kernel. The `ipc_idr_alloc()` function, used in the checkpoint/restore path for SysV Inter-Process Communication (IPC) ID allocation, does not properly limit ID allocation to the valid range. This can result in the system attempting to dereference freed memory, leading to a use-after-free vulnerability. This issue could potentially cause system instability or information disclosure."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Moderate"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":5.8,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-825","description":"Expired Pointer Dereference","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-10T12:05:47.355Z","orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP"},"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-52923"},{"name":"RHBZ#2492094","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2492094"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52923.json"}],"timeline":[{"lang":"en","time":"2026-06-24T00:00:00.000Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-06-24T00:00:00.000Z","value":"Made public."}],"title":"kernel: ipc: limit next_id allocation to the valid ID range","x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"}}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["ipc/util.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"3bbe2bb9111ce6967a951bfac79af142d816fae5","status":"affected","version":"03f595668017f1a1fb971c02fc37140bc6e7bb1c","versionType":"git"},{"lessThan":"8c58a92849175f5e2ab7bc2734b3b89afe79f6ef","status":"affected","version":"03f595668017f1a1fb971c02fc37140bc6e7bb1c","versionType":"git"},{"lessThan":"af24e202b543ded8a34f1d5d3db54eb916173f04","status":"affected","version":"03f595668017f1a1fb971c02fc37140bc6e7bb1c","versionType":"git"},{"lessThan":"157ce2c6836ce0ff19108a819f38df061345425f","status":"affected","version":"03f595668017f1a1fb971c02fc37140bc6e7bb1c","versionType":"git"},{"lessThan":"41058d4c3f63ab64901560a704882e0565f4e456","status":"affected","version":"03f595668017f1a1fb971c02fc37140bc6e7bb1c","versionType":"git"},{"lessThan":"a3cc795129e5ec0f8948653a3bf471e7d8852f5e","status":"affected","version":"03f595668017f1a1fb971c02fc37140bc6e7bb1c","versionType":"git"},{"lessThan":"bd4be70669af55b974860d13680348cfdf50bbed","status":"affected","version":"03f595668017f1a1fb971c02fc37140bc6e7bb1c","versionType":"git"},{"lessThan":"fa0b9b2b7ae3539908d69c2b9ac0d144d9bc5139","status":"affected","version":"03f595668017f1a1fb971c02fc37140bc6e7bb1c","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["ipc/util.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"3.8"},{"lessThan":"3.8","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.259","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.210","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.176","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.143","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.93","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.35","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.12","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.259","versionStartIncluding":"3.8","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.210","versionStartIncluding":"3.8","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.176","versionStartIncluding":"3.8","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.143","versionStartIncluding":"3.8","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.93","versionStartIncluding":"3.8","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.35","versionStartIncluding":"3.8","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.12","versionStartIncluding":"3.8","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1","versionStartIncluding":"3.8","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nipc: limit next_id allocation to the valid ID range\n\nThe checkpoint/restore sysctl path can request the next SysV IPC id\nthrough ids->next_id.  ipc_idr_alloc() currently forwards that request to\nidr_alloc() with an open-ended upper bound.\n\nIf the valid tail of the SysV IPC id space is full, the allocation can\nspill beyond ipc_mni.  The returned SysV IPC id still uses the normal\nindex encoding, so later lookup and removal can target the wrong slot. \nThis leaves the real IDR entry behind and breaks the IDR state for the\nobject.\n\nThe bug is in ipc_idr_alloc() in the checkpoint/restore path.\n\n1. ids->next_id is passed to:\n\n       idr_alloc(&ids->ipcs_idr, new, ipcid_to_idx(next_id), 0, ...)\n\n2. The zero upper bound makes the allocation effectively open-ended.\n   Once the valid SysV IPC tail is occupied, idr_alloc() can spill past\n   ipc_mni and allocate an entry beyond the valid IPC id range.\n\n3. The new object id is still encoded with the narrower SysV IPC index\n   width:\n\n       new->id = (new->seq << ipcmni_seq_shift()) + idx\n\n4. Later removal goes through ipc_rmid(), which uses:\n\n       ipcid_to_idx(ipcp->id)\n\n   That truncates the real IDR index. An object actually stored at a\n   high index can then be removed as if it lived at a low in-range\n   index.\n\n5. For shared memory, shm_destroy() frees the current object anyway, but\n   the real high IDR slot is left behind as a dangling pointer.\n\n6. A subsequent walk of /proc/sysvipc/shm reaches the stale IDR entry\n   and dereferences freed memory.\n\nPrevent this by bounding the requested allocation to ipc_mni so the\ncheckpoint/restore path fails once the valid range is exhausted."}],"metrics":[{"cvssV3_1":{"baseScore":7.8,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"providerMetadata":{"dateUpdated":"2026-06-28T06:36:45.317Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/3bbe2bb9111ce6967a951bfac79af142d816fae5"},{"url":"https://git.kernel.org/stable/c/8c58a92849175f5e2ab7bc2734b3b89afe79f6ef"},{"url":"https://git.kernel.org/stable/c/af24e202b543ded8a34f1d5d3db54eb916173f04"},{"url":"https://git.kernel.org/stable/c/157ce2c6836ce0ff19108a819f38df061345425f"},{"url":"https://git.kernel.org/stable/c/41058d4c3f63ab64901560a704882e0565f4e456"},{"url":"https://git.kernel.org/stable/c/a3cc795129e5ec0f8948653a3bf471e7d8852f5e"},{"url":"https://git.kernel.org/stable/c/bd4be70669af55b974860d13680348cfdf50bbed"},{"url":"https://git.kernel.org/stable/c/fa0b9b2b7ae3539908d69c2b9ac0d144d9bc5139"}],"title":"ipc: limit next_id allocation to the valid ID range","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-52923","datePublished":"2026-06-24T07:14:17.849Z","dateReserved":"2026-06-09T07:44:35.367Z","dateUpdated":"2026-07-10T12:05:47.355Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-24 08:16:22","lastModifiedDate":"2026-07-10 12:17:09","problem_types":["CWE-401","CWE-825","CWE-825 Expired Pointer Dereference"],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9},{"source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H","baseScore":5.8,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"HIGH"},"exploitabilityScore":1,"impactScore":4.7}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.8.1","versionEndExcluding":"5.10.259","matchCriteriaId":"F08F7D70-EED1-4396-9C1B-0B673DE278A0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.210","matchCriteriaId":"5E938CDF-D1C4-43D0-98DC-9E11B6B55801"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.176","matchCriteriaId":"C4446623-5F2B-4DD8-8666-9FAAC285A757"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.143","matchCriteriaId":"9062F1CD-CAD6-4EA2-A73F-C06D4A887B8C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.93","matchCriteriaId":"1E73413E-0629-41AA-A4D3-5A3D10A0BD63"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.35","matchCriteriaId":"0FCCB23A-7629-4386-93B6-B119237C4382"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.12","matchCriteriaId":"9161A938-0FA8-44BC-95FE-C5A271601AB3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:3.8:-:*:*:*:*:*:*","matchCriteriaId":"BEE536AD-20BA-4893-AF2B-B6CF446F5FB3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:3.8:rc3:*:*:*:*:*:*","matchCriteriaId":"6E108893-AAAF-48F4-9376-71AC33C7A40E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:3.8:rc4:*:*:*:*:*:*","matchCriteriaId":"AC348729-8654-4178-851F-5C4BE4B5C806"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:3.8:rc5:*:*:*:*:*:*","matchCriteriaId":"1A29F057-1966-4A35-83AE-844FF160388B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:3.8:rc6:*:*:*:*:*:*","matchCriteriaId":"FC426C5C-DA23-494D-888F-4E3712EBA3E2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:3.8:rc7:*:*:*:*:*:*","matchCriteriaId":"70810C1C-2B24-47DF-9357-E9D755D1BE99"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*","matchCriteriaId":"EC732D08-5F7B-46D9-B154-E60C7F4F0A97"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc4:*:*:*:*:*:*","matchCriteriaId":"E5910A9D-F60A-409A-B486-FE66BFEBA9B9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc5:*:*:*:*:*:*","matchCriteriaId":"81DFF19E-9CF8-49C6-8C36-1E4038622933"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"52923","Ordinal":"1","Title":"ipc: limit next_id allocation to the valid ID range","CVE":"CVE-2026-52923","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"52923","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nipc: limit next_id allocation to the valid ID range\n\nThe checkpoint/restore sysctl path can request the next SysV IPC id\nthrough ids->next_id.  ipc_idr_alloc() currently forwards that request to\nidr_alloc() with an open-ended upper bound.\n\nIf the valid tail of the SysV IPC id space is full, the allocation can\nspill beyond ipc_mni.  The returned SysV IPC id still uses the normal\nindex encoding, so later lookup and removal can target the wrong slot. \nThis leaves the real IDR entry behind and breaks the IDR state for the\nobject.\n\nThe bug is in ipc_idr_alloc() in the checkpoint/restore path.\n\n1. ids->next_id is passed to:\n\n       idr_alloc(&ids->ipcs_idr, new, ipcid_to_idx(next_id), 0, ...)\n\n2. The zero upper bound makes the allocation effectively open-ended.\n   Once the valid SysV IPC tail is occupied, idr_alloc() can spill past\n   ipc_mni and allocate an entry beyond the valid IPC id range.\n\n3. The new object id is still encoded with the narrower SysV IPC index\n   width:\n\n       new->id = (new->seq << ipcmni_seq_shift()) + idx\n\n4. Later removal goes through ipc_rmid(), which uses:\n\n       ipcid_to_idx(ipcp->id)\n\n   That truncates the real IDR index. An object actually stored at a\n   high index can then be removed as if it lived at a low in-range\n   index.\n\n5. For shared memory, shm_destroy() frees the current object anyway, but\n   the real high IDR slot is left behind as a dangling pointer.\n\n6. A subsequent walk of /proc/sysvipc/shm reaches the stale IDR entry\n   and dereferences freed memory.\n\nPrevent this by bounding the requested allocation to ipc_mni so the\ncheckpoint/restore path fails once the valid range is exhausted.","Type":"Description","Title":"ipc: limit next_id allocation to the valid ID range"}]}}}