CVE-2026-53160

In the Linux kernel, the following vulnerability has been resolved:

misc: fastrpc: fix use-after-free race in fastrpc map create

fastrpc map lookup returns a raw pointer after releasing fl->lock. The caller fastrpc map create then calls fastrpc map get (kref get unless zero) on this unprotected pointer. A concurrent MEM UNMAP can free the map between the lock release and the kref operation, resulting in a use-after-free on the freed slab object.

Restore the take ref parameter to fastrpc map lookup so the reference is acquired atomically under fl->lock before the pointer is exposed to the caller.