PT-2026-51918 · Linux · Linux
Published
2026-06-24
·
Updated
2026-06-24
·
CVE-2026-53024
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
In the Linux kernel, the following vulnerability has been resolved:
greybus: raw: fix use-after-free if write is called after disconnect
If a user writes to the chardev after disconnect has been called, the
kernel panics with the following trace (with
CONFIG INIT ON FREE DEFAULT ON=y):
BUG: kernel NULL pointer dereference, address: 0000000000000218
...
Call Trace:
<TASK>
gb operation create common+0x61/0x180
gb operation create flags+0x28/0xa0
gb operation sync timeout+0x6f/0x100
raw write+0x7b/0xc7 [gb raw]
vfs write+0xcf/0x420
? task mm cid work+0x136/0x220
ksys write+0x63/0xe0
do syscall 64+0xa4/0x290
entry SYSCALL 64 after hwframe+0x77/0x7fDisconnect calls gb connection destroy, which ends up freeing the
connection object. When gb operation sync is called in the write file
operations, its gets a freed connection as parameter and the kernel
panics.
The gb connection destroy cannot be moved out of the disconnect
function, as the Greybus subsystem expect all connections belonging to a
bundle to be destroyed when disconnect returns.
To prevent this bug, use a rw lock to synchronize access between write
and disconnect. This guarantees that the write function doesn't try
to use a disconnected connection.
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Linux