HOMEVULNERABILITIESCVE-2026-53161
HIGH

CVE-2026-53161

Published: June 25, 2026· Updated: Jun 30, 2026

7.8
CVSS v3.1
EPSS:0.18%probability of exploitation in 30 daysPercentile:8.2th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context

There is a race between fastrpc_device_release() and the workqueue

that processes DSP responses. When the user closes the file descriptor,

fastrpc_device_release() frees the fastrpc_user structure. Concurrently,

an in-flight DSP invocation can complete and fastrpc_rpmsg_callback()

schedules context cleanup via schedule_work(&ctx->put_work). If the

workqueue runs fastrpc_context_free() in parallel with or after

fastrpc_device_release() has freed the user structure, it dereferences

the freed fastrpc_user. Depending on the state of the context at the

time of the race, any one of the following accesses can be hit:

1. fastrpc_buf_free() calls fastrpc_ipa_to_dma_addr(buf->fl->cctx, ...)

to strip the SID bits from the stored IOVA before passing the

physical address to dma_free_coherent().

2. fastrpc_free_map() reads map->fl->cctx->vmperms[0].vmid to

reconstruct the source permission bitmask needed for the

qcom_scm_assign_mem() call that returns memory from the DSP VM

back to HLOS.

3. fastrpc_free_map() acquires map->fl->lock to safely remove the

map node from the fl->maps list.

The resulting use-after-free manifests as:

pc : fastrpc_buf_free+0x38/0x80 [fastrpc]

lr : fastrpc_context_free+0xa8/0x1b0 [fastrpc]

fastrpc_context_free+0xa8/0x1b0 [fastrpc]

fastrpc_context_put_wq+0x78/0xa0 [fastrpc]

process_one_work+0x180/0x450

worker_thread+0x26c/0x388

Add kref-based reference counting to fastrpc_user. Have each invoke

context take a reference on the user at allocation time and release it

when the context is freed. Release the initial reference in

fastrpc_device_release() at file close. Move the teardown of the user

structure — freeing pending contexts, maps, mmaps, and the channel

context reference — into the kref release callback fastrpc_user_free(),

so that it runs only when the last reference is dropped, regardless of

whether that happens at device close or after the final in-flight

context completes.

NVD Source

Technical Analysis

CVE-2026-53161 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 7.8.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (8)

Quick Facts

CVE IDCVE-2026-53161
CVSS Score7.8 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.18%
PublishedJun 25, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-53161 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.