CVE-2026-52930

In the Linux kernel, the following vulnerability has been resolved:

ipc/shm: serialize orphan cleanup with shm nattch updates

shm destroy orphaned() walks the shm idr under shm ids(ns).rwsem, but that does not serialize all fields tested by shm may destroy(). In particular, shm nattch is updated while holding shm perm.lock, and attach paths can do that without holding the rwsem.

Do not decide that an orphaned segment is unused before taking the object lock. Move the shm may destroy() check under shm perm.lock, matching the other destroy paths, and unlock the segment when it no longer qualifies for removal.