{"api_version":"1","generated_at":"2026-06-25T17:31:18+00:00","cve":"CVE-2026-52991","urls":{"html":"https://cve.report/CVE-2026-52991","api":"https://cve.report/api/cve/CVE-2026-52991.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-52991","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-52991"},"summary":{"title":"sched/psi: fix race between file release and pressure write","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nsched/psi: fix race between file release and pressure write\n\nA potential race condition exists between pressure write and cgroup file\nrelease regarding the priv member of struct kernfs_open_file, which\ntriggers the uaf reported in [1].\n\nConsider the following scenario involving execution on two separate CPUs:\n\n CPU0\t\t\t\t\tCPU1\n ====\t\t\t\t\t====\n\t\t\t\t\tvfs_rmdir()\n\t\t\t\t\tkernfs_iop_rmdir()\n\t\t\t\t\tcgroup_rmdir()\n\t\t\t\t\tcgroup_kn_lock_live()\n\t\t\t\t\tcgroup_destroy_locked()\n\t\t\t\t\tcgroup_addrm_files()\n\t\t\t\t\tcgroup_rm_file()\n\t\t\t\t\tkernfs_remove_by_name()\n\t\t\t\t\tkernfs_remove_by_name_ns()\n vfs_write()\t\t\t\t__kernfs_remove()\n new_sync_write()\t\t\tkernfs_drain()\n kernfs_fop_write_iter()\t\tkernfs_drain_open_files()\n cgroup_file_write()\t\t\tkernfs_release_file()\n pressure_write()\t\t\tcgroup_file_release()\n ctx = of->priv;\n\t\t\t\t\tkfree(ctx);\n \t\t\t\t\tof->priv = NULL;\n\t\t\t\t\tcgroup_kn_unlock()\n cgroup_kn_lock_live()\n cgroup_get(cgrp)\n cgroup_kn_unlock()\n if (ctx->psi.trigger) // here, trigger uaf for ctx, that is of->priv\n\nThe cgroup_rmdir() is protected by the cgroup_mutex, it also safeguards\nthe memory deallocation of of->priv performed within cgroup_file_release().\nHowever, the operations involving of->priv executed within pressure_write()\nare not entirely covered by the protection of cgroup_mutex. Consequently,\nif the code in pressure_write(), specifically the section handling the\nctx variable executes after cgroup_file_release() has completed, a uaf\nvulnerability involving of->priv is triggered.\n\nTherefore, the issue can be resolved by extending the scope of the\ncgroup_mutex lock within pressure_write() to encompass all code paths\ninvolving of->priv, thereby properly synchronizing the race condition\noccurring between cgroup_file_release() and pressure_write().\n\nAnd, if an live kn lock can be successfully acquired while executing\nthe pressure write operation, it indicates that the cgroup deletion\nprocess has not yet reached its final stage; consequently, the priv\npointer within open_file cannot be NULL. Therefore, the operation to\nretrieve the ctx value must be moved to a point *after* the live kn\nlock has been successfully acquired.\n\nIn another situation, specifically after entering cgroup_kn_lock_live()\nbut before acquiring cgroup_mutex, there exists a different class of\nrace condition:\n\nCPU0: write memory.pressure CPU1: write cgroup.pressure=0\n===========================\t\t =============================\n\nkernfs_fop_write_iter()\n kernfs_get_active_of(of)\n pressure_write()\n cgroup_kn_lock_live(memory.pressure)\n cgroup_tryget(cgrp)\n kernfs_break_active_protection(kn)\n ... blocks on cgroup_mutex\n\n \t cgroup_pressure_write()\n \t cgroup_kn_lock_live(cgroup.pressure)\n \t cgroup_file_show(memory.pressure, false)\n \t kernfs_show(false)\n \t kernfs_drain_open_files()\n \t cgroup_file_release(of)\n \t kfree(ctx)\n \t of->priv = NULL\n \t cgroup_kn_unlock()\n\n ... acquires cgroup_mutex\n ctx = of->priv; // may now be NULL\n if (ctx->psi.trigger) // NULL dereference\n\nConsequently, there is a possibility that of->priv is NULL, the pressure\nwrite needs to check for this.\n\nNow that the scope of the cgroup_mutex has been expanded, the original\nexplicit cgroup_get/put operations are no longer necessary, this is\nbecause acquiring/releasing the live kn lock inherently executes a\ncgroup get/put operation.\n\n[1]\nBUG: KASAN: slab-use-after-free in pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011\nCall Trace:\n pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011\n cgroup_file_write+0x36f/0x790 kernel/cgroup/cgroup.c:43\n---truncated---","state":"PUBLISHED","assigner":"Linux","published_at":"2026-06-24 17:17:09","updated_at":"2026-06-24 17:17:09"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/d4352c0709bfd38c752fccbde7fd72a82ac78f23","name":"https://git.kernel.org/stable/c/d4352c0709bfd38c752fccbde7fd72a82ac78f23","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/03dc070fa0fc3cb4068693f468ccd5f8a7e58282","name":"https://git.kernel.org/stable/c/03dc070fa0fc3cb4068693f468ccd5f8a7e58282","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/a5b98009f16d8a5fb4a8ff9a193f5735515c38fa","name":"https://git.kernel.org/stable/c/a5b98009f16d8a5fb4a8ff9a193f5735515c38fa","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-52991","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-52991","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0e94682b73bfa6c44c98af7a26771c9c08c055d5 03dc070fa0fc3cb4068693f468ccd5f8a7e58282 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0e94682b73bfa6c44c98af7a26771c9c08c055d5 d4352c0709bfd38c752fccbde7fd72a82ac78f23 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0e94682b73bfa6c44c98af7a26771c9c08c055d5 a5b98009f16d8a5fb4a8ff9a193f5735515c38fa git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.2","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.2 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.33 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.10 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["kernel/cgroup/cgroup.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"03dc070fa0fc3cb4068693f468ccd5f8a7e58282","status":"affected","version":"0e94682b73bfa6c44c98af7a26771c9c08c055d5","versionType":"git"},{"lessThan":"d4352c0709bfd38c752fccbde7fd72a82ac78f23","status":"affected","version":"0e94682b73bfa6c44c98af7a26771c9c08c055d5","versionType":"git"},{"lessThan":"a5b98009f16d8a5fb4a8ff9a193f5735515c38fa","status":"affected","version":"0e94682b73bfa6c44c98af7a26771c9c08c055d5","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["kernel/cgroup/cgroup.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"5.2"},{"lessThan":"5.2","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.33","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.10","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.33","versionStartIncluding":"5.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.10","versionStartIncluding":"5.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1","versionStartIncluding":"5.2","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nsched/psi: fix race between file release and pressure write\n\nA potential race condition exists between pressure write and cgroup file\nrelease regarding the priv member of struct kernfs_open_file, which\ntriggers the uaf reported in [1].\n\nConsider the following scenario involving execution on two separate CPUs:\n\n CPU0\t\t\t\t\tCPU1\n ====\t\t\t\t\t====\n\t\t\t\t\tvfs_rmdir()\n\t\t\t\t\tkernfs_iop_rmdir()\n\t\t\t\t\tcgroup_rmdir()\n\t\t\t\t\tcgroup_kn_lock_live()\n\t\t\t\t\tcgroup_destroy_locked()\n\t\t\t\t\tcgroup_addrm_files()\n\t\t\t\t\tcgroup_rm_file()\n\t\t\t\t\tkernfs_remove_by_name()\n\t\t\t\t\tkernfs_remove_by_name_ns()\n vfs_write()\t\t\t\t__kernfs_remove()\n new_sync_write()\t\t\tkernfs_drain()\n kernfs_fop_write_iter()\t\tkernfs_drain_open_files()\n cgroup_file_write()\t\t\tkernfs_release_file()\n pressure_write()\t\t\tcgroup_file_release()\n ctx = of->priv;\n\t\t\t\t\tkfree(ctx);\n \t\t\t\t\tof->priv = NULL;\n\t\t\t\t\tcgroup_kn_unlock()\n cgroup_kn_lock_live()\n cgroup_get(cgrp)\n cgroup_kn_unlock()\n if (ctx->psi.trigger) // here, trigger uaf for ctx, that is of->priv\n\nThe cgroup_rmdir() is protected by the cgroup_mutex, it also safeguards\nthe memory deallocation of of->priv performed within cgroup_file_release().\nHowever, the operations involving of->priv executed within pressure_write()\nare not entirely covered by the protection of cgroup_mutex. Consequently,\nif the code in pressure_write(), specifically the section handling the\nctx variable executes after cgroup_file_release() has completed, a uaf\nvulnerability involving of->priv is triggered.\n\nTherefore, the issue can be resolved by extending the scope of the\ncgroup_mutex lock within pressure_write() to encompass all code paths\ninvolving of->priv, thereby properly synchronizing the race condition\noccurring between cgroup_file_release() and pressure_write().\n\nAnd, if an live kn lock can be successfully acquired while executing\nthe pressure write operation, it indicates that the cgroup deletion\nprocess has not yet reached its final stage; consequently, the priv\npointer within open_file cannot be NULL. Therefore, the operation to\nretrieve the ctx value must be moved to a point *after* the live kn\nlock has been successfully acquired.\n\nIn another situation, specifically after entering cgroup_kn_lock_live()\nbut before acquiring cgroup_mutex, there exists a different class of\nrace condition:\n\nCPU0: write memory.pressure CPU1: write cgroup.pressure=0\n===========================\t\t =============================\n\nkernfs_fop_write_iter()\n kernfs_get_active_of(of)\n pressure_write()\n cgroup_kn_lock_live(memory.pressure)\n cgroup_tryget(cgrp)\n kernfs_break_active_protection(kn)\n ... blocks on cgroup_mutex\n\n \t cgroup_pressure_write()\n \t cgroup_kn_lock_live(cgroup.pressure)\n \t cgroup_file_show(memory.pressure, false)\n \t kernfs_show(false)\n \t kernfs_drain_open_files()\n \t cgroup_file_release(of)\n \t kfree(ctx)\n \t of->priv = NULL\n \t cgroup_kn_unlock()\n\n ... acquires cgroup_mutex\n ctx = of->priv; // may now be NULL\n if (ctx->psi.trigger) // NULL dereference\n\nConsequently, there is a possibility that of->priv is NULL, the pressure\nwrite needs to check for this.\n\nNow that the scope of the cgroup_mutex has been expanded, the original\nexplicit cgroup_get/put operations are no longer necessary, this is\nbecause acquiring/releasing the live kn lock inherently executes a\ncgroup get/put operation.\n\n[1]\nBUG: KASAN: slab-use-after-free in pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011\nCall Trace:\n pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011\n cgroup_file_write+0x36f/0x790 kernel/cgroup/cgroup.c:43\n---truncated---"}],"providerMetadata":{"dateUpdated":"2026-06-24T16:29:04.810Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/03dc070fa0fc3cb4068693f468ccd5f8a7e58282"},{"url":"https://git.kernel.org/stable/c/d4352c0709bfd38c752fccbde7fd72a82ac78f23"},{"url":"https://git.kernel.org/stable/c/a5b98009f16d8a5fb4a8ff9a193f5735515c38fa"}],"title":"sched/psi: fix race between file release and pressure write","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-52991","datePublished":"2026-06-24T16:29:04.810Z","dateReserved":"2026-06-09T07:44:35.377Z","dateUpdated":"2026-06-24T16:29:04.810Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-24 17:17:09","lastModifiedDate":"2026-06-24 17:17:09","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"52991","Ordinal":"1","Title":"sched/psi: fix race between file release and pressure write","CVE":"CVE-2026-52991","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"52991","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nsched/psi: fix race between file release and pressure write\n\nA potential race condition exists between pressure write and cgroup file\nrelease regarding the priv member of struct kernfs_open_file, which\ntriggers the uaf reported in [1].\n\nConsider the following scenario involving execution on two separate CPUs:\n\n CPU0\t\t\t\t\tCPU1\n ====\t\t\t\t\t====\n\t\t\t\t\tvfs_rmdir()\n\t\t\t\t\tkernfs_iop_rmdir()\n\t\t\t\t\tcgroup_rmdir()\n\t\t\t\t\tcgroup_kn_lock_live()\n\t\t\t\t\tcgroup_destroy_locked()\n\t\t\t\t\tcgroup_addrm_files()\n\t\t\t\t\tcgroup_rm_file()\n\t\t\t\t\tkernfs_remove_by_name()\n\t\t\t\t\tkernfs_remove_by_name_ns()\n vfs_write()\t\t\t\t__kernfs_remove()\n new_sync_write()\t\t\tkernfs_drain()\n kernfs_fop_write_iter()\t\tkernfs_drain_open_files()\n cgroup_file_write()\t\t\tkernfs_release_file()\n pressure_write()\t\t\tcgroup_file_release()\n ctx = of->priv;\n\t\t\t\t\tkfree(ctx);\n \t\t\t\t\tof->priv = NULL;\n\t\t\t\t\tcgroup_kn_unlock()\n cgroup_kn_lock_live()\n cgroup_get(cgrp)\n cgroup_kn_unlock()\n if (ctx->psi.trigger) // here, trigger uaf for ctx, that is of->priv\n\nThe cgroup_rmdir() is protected by the cgroup_mutex, it also safeguards\nthe memory deallocation of of->priv performed within cgroup_file_release().\nHowever, the operations involving of->priv executed within pressure_write()\nare not entirely covered by the protection of cgroup_mutex. Consequently,\nif the code in pressure_write(), specifically the section handling the\nctx variable executes after cgroup_file_release() has completed, a uaf\nvulnerability involving of->priv is triggered.\n\nTherefore, the issue can be resolved by extending the scope of the\ncgroup_mutex lock within pressure_write() to encompass all code paths\ninvolving of->priv, thereby properly synchronizing the race condition\noccurring between cgroup_file_release() and pressure_write().\n\nAnd, if an live kn lock can be successfully acquired while executing\nthe pressure write operation, it indicates that the cgroup deletion\nprocess has not yet reached its final stage; consequently, the priv\npointer within open_file cannot be NULL. Therefore, the operation to\nretrieve the ctx value must be moved to a point *after* the live kn\nlock has been successfully acquired.\n\nIn another situation, specifically after entering cgroup_kn_lock_live()\nbut before acquiring cgroup_mutex, there exists a different class of\nrace condition:\n\nCPU0: write memory.pressure CPU1: write cgroup.pressure=0\n===========================\t\t =============================\n\nkernfs_fop_write_iter()\n kernfs_get_active_of(of)\n pressure_write()\n cgroup_kn_lock_live(memory.pressure)\n cgroup_tryget(cgrp)\n kernfs_break_active_protection(kn)\n ... blocks on cgroup_mutex\n\n \t cgroup_pressure_write()\n \t cgroup_kn_lock_live(cgroup.pressure)\n \t cgroup_file_show(memory.pressure, false)\n \t kernfs_show(false)\n \t kernfs_drain_open_files()\n \t cgroup_file_release(of)\n \t kfree(ctx)\n \t of->priv = NULL\n \t cgroup_kn_unlock()\n\n ... acquires cgroup_mutex\n ctx = of->priv; // may now be NULL\n if (ctx->psi.trigger) // NULL dereference\n\nConsequently, there is a possibility that of->priv is NULL, the pressure\nwrite needs to check for this.\n\nNow that the scope of the cgroup_mutex has been expanded, the original\nexplicit cgroup_get/put operations are no longer necessary, this is\nbecause acquiring/releasing the live kn lock inherently executes a\ncgroup get/put operation.\n\n[1]\nBUG: KASAN: slab-use-after-free in pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011\nCall Trace:\n pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011\n cgroup_file_write+0x36f/0x790 kernel/cgroup/cgroup.c:43\n---truncated---","Type":"Description","Title":"sched/psi: fix race between file release and pressure write"}]}}}