HOMEVULNERABILITIESCVE-2026-53059
HIGH

CVE-2026-53059

Published: June 24, 2026· Updated: Jun 30, 2026

7.0
CVSS v3.1
EPSS:0.18%probability of exploitation in 30 daysPercentile:7.4th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

dm log: fix out-of-bounds write due to region_count overflow

The local variable region_count in create_log_context() is declared as

unsigned int (32-bit), but dm_sector_div_up() returns sector_t (64-bit).

When a device-mapper target has a sufficiently large ti->len with a small

region_size, the division result can exceed UINT_MAX. The truncated

value is then used to calculate bitset_size, causing clean_bits,

sync_bits, and recovering_bits to be allocated far smaller than needed

for the actual number of regions.

Subsequent log operations (log_set_bit, log_clear_bit, log_test_bit) use

region indices derived from the full untruncated region space, causing

out-of-bounds writes to kernel heap memory allocated by vmalloc.

This can be reproduced by creating a mirror target whose region_count

overflows 32 bits:

dmsetup create bigzero --table '0 8589934594 zero'

dmsetup create mymirror --table '0 8589934594 mirror \

core 2 2 nosync 2 /dev/mapper/bigzero 0 \

/dev/mapper/bigzero 0'

The status output confirms the truncation (sync_count=1 instead of

4294967297, because 0x100000001 was truncated to 1):

$ dmsetup status mymirror

0 8589934594 mirror 2 254:1 254:1 1/4294967297 ...

This leads to a kernel crash in core_in_sync:

BUG: scheduling while atomic: (udev-worker)/9150/0x00000000

RIP: 0010:core_in_sync+0x14/0x30 [dm_log]

CR2: 0000000000000008

Fixing recursive fault but reboot is needed!

Fix by widening the local region_count to sector_t and adding an

explicit overflow check before the value is assigned to lc->region_count.

NVD Source

Technical Analysis

CVE-2026-53059 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 7.0.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityHigh
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (11)

Quick Facts

CVE IDCVE-2026-53059
CVSS Score7.0 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.18%
PublishedJun 24, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-53059 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.