CVE-2026-53185

In the Linux kernel, the following vulnerability has been resolved:

zram: fix use-after-free in zram bvec write partial()

zram read page() picks the sync or async backing device read path based on whether the parent bio is NULL. zram bvec write partial() passes its parent bio down, so for ZRAM WB slots the read is dispatched asynchronously and zram read page() returns 0 while the bio is still in flight. The caller then runs memcpy from bvec(), zram write page() and free page() on the buffer, leaving the async read to write into a freed page.

zram bvec read partial() was switched to NULL in commit 4e3c87b9421d ("zram: fix synchronous reads") for the same reason; the write partial counterpart was missed.