CVE-2026-53166 - Vulnerability Details

- futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock

Description

In the Linux kernel, the following vulnerability has been resolved:

futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock

When FUTEX_CMP_REQUEUE_PI requeues a non-top waiter that already owns the
target PI futex, task_blocks_on_rt_mutex() returns -EDEADLK before setting
waiter->task.

The subsequent remove_waiter() in rt_mutex_start_proxy_lock() dereferences
the NULL waiter->task, causing a kernel crash.

Add a self-deadlock check for non-top waiters before calling
rt_mutex_start_proxy_lock(), analogous to the top-waiter check in
futex_lock_pi_atomic().

Published: 2026-06-25

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`3fb7394a837740770f0d6b4b30567e60786a63f2`	affected	< 16f8e17184b31382076f84751db5ac51fc02733e
`88614876370aac8ad1050ad785a4c095ba17ac11`	affected	< 1f2f3f3eacd6653ab215c5d2ea70811148d433fc
`3bfdc63936dd4773109b7b8c280c0f3b5ae7d349`	affected	< 74e144274af39935b0f410c0ee4d2b91c3730414
`d8cce4773c2b23d819baf5abedc62f7b430e8745`	affected	—
`8a1fc8d698ac5e5916e3082a0f74450d71f9611f`	affected	—
`6d52dfcb2a5db86e346cf51f8fcf2071b8085166`	affected	—
`6.1.175`	affected	< 6.2
`6.6.140`	affected	< 6.7
`6.12.86`	affected	< 6.13

Linux

unaffected

Version	Status	Constraints
`6.18.27`	affected	< 6.18.36
`7.0.4`	affected	< 7.0.13

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[3fb7394a837740770f0d6b4b30567e60786a63f2,16f8e17184b31382076f84751db5ac51fc02733e)`	affected	code_commit	—
`[88614876370aac8ad1050ad785a4c095ba17ac11,1f2f3f3eacd6653ab215c5d2ea70811148d433fc)`	affected	code_commit	—
`[3bfdc63936dd4773109b7b8c280c0f3b5ae7d349,74e144274af39935b0f410c0ee4d2b91c3730414)`	affected	code_commit	—
`d8cce4773c2b23d819baf5abedc62f7b430e8745`	affected	code_commit	—
`8a1fc8d698ac5e5916e3082a0f74450d71f9611f`	affected	code_commit	—
`6d52dfcb2a5db86e346cf51f8fcf2071b8085166`	affected	code_commit	—
`[6.1.175,6.2)`	affected	semver	—
`[6.6.140,6.7)`	affected	semver	—
`[6.12.86,6.13)`	affected	semver	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.18.27,6.18.36)`	affected	semver	—
`[7.0.4,7.0.13)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00173.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/16f8e17184b31382076f84751db5ac51fc02733e
https://git.kernel.org/stable/c/1f2f3f3eacd6653ab215c5d2ea70811148d433fc
https://git.kernel.org/stable/c/74e144274af39935b0f410c0ee4d2b91c3730414
https://lore.kernel.org/linux-cve-announce/2026062551-CVE-2026-53166-2861@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-53166
https://www.cve.org/CVERecord?id=CVE-2026-53166

History

Fri, 26 Jun 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026062551-CVE-2026-53166-2861@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-53166 https://www.cve.org/CVERecord?id=CVE-2026-53166
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Thu, 25 Jun 2026 12:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock When FUTEX_CMP_REQUEUE_PI requeues a non-top waiter that already owns the target PI futex, task_blocks_on_rt_mutex() returns -EDEADLK before setting waiter->task. The subsequent remove_waiter() in rt_mutex_start_proxy_lock() dereferences the NULL waiter->task, causing a kernel crash. Add a self-deadlock check for non-top waiters before calling rt_mutex_start_proxy_lock(), analogous to the top-waiter check in futex_lock_pi_atomic().
Title		futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/16f8e17184b31382076f84751db5ac51fc02733e https://git.kernel.org/stable/c/1f2f3f3eacd6653ab215c5d2ea70811148d433fc https://git.kernel.org/stable/c/74e144274af39935b0f410c0ee4d2b91c3730414

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:38:46.089Z

Updated: 2026-06-25T08:38:46.089Z

Reserved: 2026-06-09T07:44:35.389Z

Link: CVE-2026-53166

Vulnrichment

No data.

NVD

No data.

Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53166 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-26T14:00:22Z

Weaknesses

CWE-476

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object