CVE-2026-53304

In the Linux kernel, the following vulnerability has been resolved:

scsi: sg: Resolve soft lockup issue when opening /dev/sgX

The parameter def reserved size defines the default buffer size reserved for each Sg fd and should be restricted to a range between 0 and 1,048,576 (see https://tldp.org/HOWTO/SCSI-Generic-HOWTO/proc.html). Although the function sg proc write dressz enforces this limit, it is possible to bypass it by directly modifying the module parameter as shown below, which then causes a soft lockup:

echo -1 > /sys/module/sg/parameters/def reserved size exec 4<> /dev/sg0

watchdog: BUG: soft lockup - CPU#5 stuck for 26 seconds! [bash:537] Modules loaded: CPU: 5 UID: 0 PID: 537 Command: bash, kernel version 6.19.0-rc3+ #134, PREEMPT disabled Hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS version 1.16.1-2.fc37 dated 04/01/2014 ... Call Trace:

sg build reserve+0x5c/0xa0 sg add sfp+0x168/0x270 sg open+0x16e/0x340 chrdev open+0xbe/0x230 do dentry open+0x175/0x480 vfs open+0x34/0xf0 do open+0x265/0x3d0 path openat+0x110/0x290 do filp open+0xc3/0x170 do sys openat2+0x71/0xe0 x64 sys openat+0x6d/0xa0 do syscall 64+0x62/0x310 entry SYSCALL 64 after hwframe+0x76/0x7e

The fix is to use module param cb to validate and reject invalid values assigned to def reserved size.