CVE-2026-53165

In the Linux kernel, the following vulnerability has been resolved: iomap: avoid potential null folio->mapping deref during error reporting When a buffered read fails, iomap_finish_folio_read() reports the error with fserror_report_io(folio->mapping->host, ...). This is called after ifs->read_bytes_pending has been decremented by the bytes attempted to be read. For a folio split across multiple read completions, the folio is only guaranteed to stay locked while read_bytes_pending > 0. Once iomap_finish_folio_read() decrements read_bytes_pending, another in-flight read can complete and end the read on the folio, which unlocks it. This allows truncate logic to run and detach the folio (set folio->mapping to NULL). The error reporting path then can dereference a NULL folio->mapping. As reported by Sam Sun, this is the race that can occur: CPU0: failed completion CPU1: final completion CPU2: truncate ----------------------- ---------------------- -------------- read_bytes_pending -= len finished = false /* preempted before fserror_report_io() */ read_bytes_pending -= len finished = true folio_end_read() truncate clears folio->mapping fserror_report_io( folio->mapping->host, ...) ^ NULL deref Fix this by reporting the error first before decrementing ifs->read_bytes_pending.
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc6:*:*:*:*:*:*

History

07 Jul 2026, 18:14

Type Values Removed Values Added
References () https://git.kernel.org/stable/c/1ad453817a4077230d1ba88eb0868f05f824449a - () https://git.kernel.org/stable/c/1ad453817a4077230d1ba88eb0868f05f824449a - Patch
References () https://git.kernel.org/stable/c/2eea7f44b9c8b42fd7d3a1a87c06a7cd1b99c327 - () https://git.kernel.org/stable/c/2eea7f44b9c8b42fd7d3a1a87c06a7cd1b99c327 - Patch
First Time Linux linux Kernel
Linux
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc6:*:*:*:*:*:*
CWE CWE-476

28 Jun 2026, 08:16

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5

25 Jun 2026, 09:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-25 09:16

Updated : 2026-07-07 18:14


NVD link : CVE-2026-53165

Mitre link : CVE-2026-53165

CVE.ORG link : CVE-2026-53165


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-476

NULL Pointer Dereference