HOMEVULNERABILITIESCVE-2026-53265
HIGH

CVE-2026-53265

Published: June 25, 2026· Updated: Jun 30, 2026

7.8
CVSS v3.1
EPSS:0.17%probability of exploitation in 30 daysPercentile:6.8th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

dm cache policy smq: check allocation under invalidate lock

commit 2d1f7b65f5de ("dm cache policy smq: fix missing locks in

invalidating cache blocks") added mq->lock around the destructive part of

smq_invalidate_mapping(), but left the e->allocated check outside the

critical section.

That leaves a check-then-act race. Two concurrent invalidators can both

observe e->allocated as true before either of them takes mq->lock. The

first invalidator that acquires the lock removes the entry from the

queues and hash table and then calls free_entry(), which clears

e->allocated and puts the entry back on the free list. The second

invalidator can then acquire mq->lock and continue with the stale result

of the unlocked check.

This can corrupt the SMQ queues or hash table by deleting an entry that

is no longer on those structures. It can also hit the allocation check in

free_entry() when the same entry is freed again.

Move the allocation check under mq->lock so the predicate and the

destructive operations are serialized by the same lock.

NVD Source

Technical Analysis

CVE-2026-53265 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 7.8.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (8)

Quick Facts

CVE IDCVE-2026-53265
CVSS Score7.8 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.17%
PublishedJun 25, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-53265 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.