{"cve":{"cve_id":"CVE-2026-52991","is_kev":false,"kev_date_added":null,"kev_vendor_project":null,"kev_product":null,"kev_vulnerability_name":null,"kev_short_description":null,"kev_required_action":null,"kev_due_date":null,"kev_known_ransomware":null,"kev_notes":null,"kev_cwes":null,"epss_score":null,"epss_percentile":null,"epss_as_of":null,"description":"In the Linux kernel, the following vulnerability has been resolved:\n\nsched/psi: fix race between file release and pressure write\n\nA potential race condition exists between pressure write and cgroup file\nrelease regarding the priv member of struct kernfs_open_file, which\ntriggers the uaf reported in [1].\n\nConsider the following scenario involving execution on two separate CPUs:\n\n   CPU0\t\t\t\t\tCPU1\n   ====\t\t\t\t\t====\n\t\t\t\t\tvfs_rmdir()\n\t\t\t\t\tkernfs_iop_rmdir()\n\t\t\t\t\tcgroup_rmdir()\n\t\t\t\t\tcgroup_kn_lock_live()\n\t\t\t\t\tcgroup_destroy_locked()\n\t\t\t\t\tcgroup_addrm_files()\n\t\t\t\t\tcgroup_rm_file()\n\t\t\t\t\tkernfs_remove_by_name()\n\t\t\t\t\tkernfs_remove_by_name_ns()\n vfs_write()\t\t\t\t__kernfs_remove()\n new_sync_write()\t\t\tkernfs_drain()\n kernfs_fop_write_iter()\t\tkernfs_drain_open_files()\n cgroup_file_write()\t\t\tkernfs_release_file()\n pressure_write()\t\t\tcgroup_file_release()\n ctx = of->priv;\n\t\t\t\t\tkfree(ctx);\n \t\t\t\t\tof->priv = NULL;\n\t\t\t\t\tcgroup_kn_unlock()\n cgroup_kn_lock_live()\n cgroup_get(cgrp)\n cgroup_kn_unlock()\n if (ctx->psi.trigger)  // here, trigger uaf for ctx, that is of->priv\n\nThe cgroup_rmdir() is protected by the cgroup_mutex, it also safeguards\nthe memory deallocation of of->priv performed within cgroup_file_release().\nHowever, the operations involving of->priv executed within pressure_write()\nare not entirely covered by the protection of cgroup_mutex. Consequently,\nif the code in pressure_write(), specifically the section handling the\nctx variable executes after cgroup_file_release() has completed, a uaf\nvulnerability involving of->priv is triggered.\n\nTherefore, the issue can be resolved by extending the scope of the\ncgroup_mutex lock within pressure_write() to encompass all code paths\ninvolving of->priv, thereby properly synchronizing the race condition\noccurring between cgroup_file_release() and pressure_write().\n\nAnd, if an live kn lock can be successfully acquired while executing\nthe pressure write operation, it indicates that the cgroup deletion\nprocess has not yet reached its final stage; consequently, the priv\npointer within open_file cannot be NULL. Therefore, the operation to\nretrieve the ctx value must be moved to a point *after* the live kn\nlock has been successfully acquired.\n\nIn another situation, specifically after entering cgroup_kn_lock_live()\nbut before acquiring cgroup_mutex, there exists a different class of\nrace condition:\n\nCPU0: write memory.pressure               CPU1: write cgroup.pressure=0\n===========================\t\t  =============================\n\nkernfs_fop_write_iter()\n kernfs_get_active_of(of)\n pressure_write()\n   cgroup_kn_lock_live(memory.pressure)\n     cgroup_tryget(cgrp)\n     kernfs_break_active_protection(kn)\n     ... blocks on cgroup_mutex\n\n                                     \t  cgroup_pressure_write()\n                                     \t  cgroup_kn_lock_live(cgroup.pressure)\n                                     \t  cgroup_file_show(memory.pressure, false)\n                                     \t    kernfs_show(false)\n                                     \t      kernfs_drain_open_files()\n                                     \t        cgroup_file_release(of)\n                                     \t          kfree(ctx)\n                                     \t            of->priv = NULL\n                                     \t  cgroup_kn_unlock()\n\n   ... acquires cgroup_mutex\n   ctx = of->priv;        // may now be NULL\n   if (ctx->psi.trigger)  // NULL dereference\n\nConsequently, there is a possibility that of->priv is NULL, the pressure\nwrite needs to check for this.\n\nNow that the scope of the cgroup_mutex has been expanded, the original\nexplicit cgroup_get/put operations are no longer necessary, this is\nbecause acquiring/releasing the live kn lock inherently executes a\ncgroup get/put operation.\n\n[1]\nBUG: KASAN: slab-use-after-free in pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011\nCall Trace:\n pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011\n cgroup_file_write+0x36f/0x790 kernel/cgroup/cgroup.c:43\n---truncated---","published_at":"2026-06-24T16:29:04.810000Z","last_modified_at":null,"cvss_v3_score":7.8,"cvss_v3_vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","cvss_v3_severity":"HIGH","cvss_v4_score":null,"cvss_v4_vector":null,"cvss_v4_severity":null,"ssvc_decision":null,"ssvc_exploitation":null,"ssvc_automatable":null,"ssvc_technical_impact":null,"cwes":null,"nvd_references":["https://git.kernel.org/stable/c/03dc070fa0fc3cb4068693f468ccd5f8a7e58282","https://git.kernel.org/stable/c/d4352c0709bfd38c752fccbde7fd72a82ac78f23","https://git.kernel.org/stable/c/a5b98009f16d8a5fb4a8ff9a193f5735515c38fa"],"vuln_status":null,"trending_score":null,"is_trending":false,"has_trended":false,"trended_number_one":false,"trending_peak_score":null,"trending_peak_rank":null,"started_trending_at":null,"trended_number_one_at":null,"summary_generated":null,"summary_generated_at":null,"summary_model":null,"created_at":"2026-06-28T17:55:22.518073Z","updated_at":"2026-06-28T23:30:49.890169Z"},"effective_severity":"HIGH","badges":[],"impact_analysis":[],"cvss_v3_decoded":{"version":"3.1","metrics":[{"metric":"AV","name":"Attack Vector","value":"L","value_label":"Local"},{"metric":"AC","name":"Attack Complexity","value":"L","value_label":"Low"},{"metric":"PR","name":"Privileges Required","value":"L","value_label":"Low"},{"metric":"UI","name":"User Interaction","value":"N","value_label":"None"},{"metric":"S","name":"Scope","value":"U","value_label":"Unchanged"},{"metric":"C","name":"Confidentiality","value":"H","value_label":"High"},{"metric":"I","name":"Integrity","value":"H","value_label":"High"},{"metric":"A","name":"Availability","value":"H","value_label":"High"}]},"cvss_v4_decoded":{"version":null,"metrics":[]},"affected":[{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"0e94682b73bfa6c44c98af7a26771c9c08c055d5","version_start_inclusive":true,"version_end":"03dc070fa0fc3cb4068693f468ccd5f8a7e58282","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:0e94682b73bfa6c44c98af7a26771c9c08c055d5:03dc070fa0fc3cb4068693f468ccd5f8a7e58282"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"0e94682b73bfa6c44c98af7a26771c9c08c055d5","version_start_inclusive":true,"version_end":"d4352c0709bfd38c752fccbde7fd72a82ac78f23","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:0e94682b73bfa6c44c98af7a26771c9c08c055d5:d4352c0709bfd38c752fccbde7fd72a82ac78f23"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"0e94682b73bfa6c44c98af7a26771c9c08c055d5","version_start_inclusive":true,"version_end":"a5b98009f16d8a5fb4a8ff9a193f5735515c38fa","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:0e94682b73bfa6c44c98af7a26771c9c08c055d5:a5b98009f16d8a5fb4a8ff9a193f5735515c38fa"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"5.2","version_start_inclusive":true,"version_end":"5.2","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:5.2:5.2"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"0","version_start_inclusive":true,"version_end":"5.2","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:0:5.2"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"6.18.33","version_start_inclusive":true,"version_end":"6.18.*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:6.18.33:6.18.*"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"7.0.10","version_start_inclusive":true,"version_end":"7.0.*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:7.0.10:7.0.*"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"7.1","version_start_inclusive":true,"version_end":"*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:7.1:*"}],"exploit_refs":[],"news":[],"references":[{"url":"https://git.kernel.org/stable/c/03dc070fa0fc3cb4068693f468ccd5f8a7e58282","source_type":"MISC","tags":[]},{"url":"https://git.kernel.org/stable/c/d4352c0709bfd38c752fccbde7fd72a82ac78f23","source_type":"MISC","tags":[]},{"url":"https://git.kernel.org/stable/c/a5b98009f16d8a5fb4a8ff9a193f5735515c38fa","source_type":"MISC","tags":[]}],"timeline":[{"type":"published","at":"2026-06-24T16:29:04.810000Z","label":"CVE published","source":null}]}