CVE-2026-53047

In the Linux kernel, the following vulnerability has been resolved:

efi/capsule-loader: fix incorrect sizeof in phys array reallocation

The krealloc() call for cap info->phys in efi capsule setup info() uses sizeof(phys addr t *) instead of sizeof(phys addr t), which might be causing an undersized allocation.

The allocation is also inconsistent with the initial array allocation in efi capsule open() that allocates one entry with sizeof(phys addr t), and the efi capsule write() function that stores phys addr t values (not pointers) via page to phys().

On 64-bit systems where sizeof(phys addr t) == sizeof(phys addr t *), this goes unnoticed. On 32-bit systems with PAE where phys addr t is 64-bit but pointers are 32-bit, this allocates half the required space, which might lead to a heap buffer overflow when storing physical addresses.

This is similar to the bug fixed in commit fccfa646ef36 ("efi/capsule-loader: fix incorrect allocation size") which fixed the same issue at the initial allocation site.