PT-2026-51716 · Linux · Linux
Published
2026-06-24
·
Updated
2026-06-24
·
CVE-2026-52923
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
In the Linux kernel, the following vulnerability has been resolved:
ipc: limit next id allocation to the valid ID range
The checkpoint/restore sysctl path can request the next SysV IPC id
through ids->next id. ipc idr alloc() currently forwards that request to
idr alloc() with an open-ended upper bound.
If the valid tail of the SysV IPC id space is full, the allocation can
spill beyond ipc mni. The returned SysV IPC id still uses the normal
index encoding, so later lookup and removal can target the wrong slot.
This leaves the real IDR entry behind and breaks the IDR state for the
object.
The bug is in ipc idr alloc() in the checkpoint/restore path.
-
ids->next id is passed to:idr alloc(&ids->ipcs idr, new, ipcid to idx(next id), 0, ...)
-
The zero upper bound makes the allocation effectively open-ended. Once the valid SysV IPC tail is occupied, idr alloc() can spill past ipc mni and allocate an entry beyond the valid IPC id range.
-
The new object id is still encoded with the narrower SysV IPC index width:new->id = (new->seq << ipcmni seq shift()) + idx
-
Later removal goes through ipc rmid(), which uses:ipcid to idx(ipcp->id)
That truncates the real IDR index. An object actually stored at a
high index can then be removed as if it lived at a low in-range
index.
-
For shared memory, shm destroy() frees the current object anyway, but the real high IDR slot is left behind as a dangling pointer.
-
A subsequent walk of /proc/sysvipc/shm reaches the stale IDR entry and dereferences freed memory.
Prevent this by bounding the requested allocation to ipc mni so the
checkpoint/restore path fails once the valid range is exhausted.
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Linux