CVE-2026-53185 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved: zram: fix use-after-free in zram_bvec_write_partial() zram_read_page() picks the sync or async backing device read path based on whether the parent bio is NULL. zram_bvec_write_partial() passes its parent bio down, so for ZRAM_WB slots the read is dispatched asynchronously and zram_read_page() returns 0 while the bio is still in flight. The caller then runs memcpy_from_bvec(), zram_write_page() and __free_page() on the buffer, leaving the async read to write into a freed page. zram_bvec_read_partial() was switched to NULL in commit 4e3c87b9421d ("zram: fix synchronous reads") for the same reason; the write_partial counterpart was missed.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel

No data.

References

Link	Providers
https://git.kernel.org/stable/c/0c2821665ff71be3f4b07ecece384669f2877f6a
https://git.kernel.org/stable/c/198b5a14cca27263b9c14b20114c8092de15dfcb
https://git.kernel.org/stable/c/732fd9f0b9c1cdc6dfd77162ded60df005182cc0
https://git.kernel.org/stable/c/77a602b505ce4802915853cfc435a4722fab3e64
https://git.kernel.org/stable/c/c96786d6ff1acc1d54d9241e97767554c1dfdd5b

History

Thu, 25 Jun 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: zram: fix use-after-free in zram_bvec_write_partial() zram_read_page() picks the sync or async backing device read path based on whether the parent bio is NULL. zram_bvec_write_partial() passes its parent bio down, so for ZRAM_WB slots the read is dispatched asynchronously and zram_read_page() returns 0 while the bio is still in flight. The caller then runs memcpy_from_bvec(), zram_write_page() and __free_page() on the buffer, leaving the async read to write into a freed page. zram_bvec_read_partial() was switched to NULL in commit 4e3c87b9421d ("zram: fix synchronous reads") for the same reason; the write_partial counterpart was missed.
Title		zram: fix use-after-free in zram_bvec_write_partial()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0c2821665ff71be3f4b07ecece384669f2877f6a https://git.kernel.org/stable/c/198b5a14cca27263b9c14b20114c8092de15dfcb https://git.kernel.org/stable/c/732fd9f0b9c1cdc6dfd77162ded60df005182cc0 https://git.kernel.org/stable/c/77a602b505ce4802915853cfc435a4722fab3e64 https://git.kernel.org/stable/c/c96786d6ff1acc1d54d9241e97767554c1dfdd5b

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:38:58.853Z

Updated: 2026-06-25T08:38:58.853Z

Reserved: 2026-06-09T07:44:35.390Z

Link: CVE-2026-53185

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object