CVE-2026-53161

HIGHPre-NVD 7.87.8
EchelonGraph scoreHIGH confidence

Score 7.8 from GitHub Security Advisory (severity: HIGH) published 2026-06-25. a secondary CVSS source baseline 7.8; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: epss, ghsa, secondary
Trending — 4 sources updated this week
7.8
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 7.8Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

In the Linux kernel, the following vulnerability has been resolved:

misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context

There is a race between fastrpc_device_release() and the workqueue that processes DSP responses. When the user closes the file descriptor, fastrpc_device_release() frees the fastrpc_user structure. Concurrently, an in-flight DSP invocation can complete and fastrpc_rpmsg_callback() schedules context cleanup via schedule_work(&ctx->put_work). If the workqueue runs fastrpc_context_free() in parallel with or after fastrpc_device_release() has freed the user structure, it dereferences the freed fastrpc_user. Depending on the state of the context at the time of the race, any one of the following accesses can be hit:

  • fastrpc_buf_free() calls fastrpc_ipa_to_dma_addr(buf->fl->cctx, ...)
to strip the SID bits from the stored IOVA before passing the physical address to dma_free_coherent().
  • fastrpc_free_map() reads map->fl->cctx->vmperms[0].vmid to
reconstruct the source permission bitmask needed for the qcom_scm_assign_mem() call that returns memory from the DSP VM back to HLOS.
  • fastrpc_free_map() acquires map->fl->lock to safely remove the
map node from the fl->maps list.

The resulting use-after-free manifests as:

pc : fastrpc_buf_free+0x38/0x80 [fastrpc] lr : fastrpc_context_free+0xa8/0x1b0 [fastrpc] fastrpc_context_free+0xa8/0x1b0 [fastrpc] fastrpc_context_put_wq+0x78/0xa0 [fastrpc] process_one_work+0x180/0x450 worker_thread+0x26c/0x388

Add kref-based reference counting to fastrpc_user. Have each invoke context take a reference on the user at allocation time and release it when the context is freed. Release the initial reference in fastrpc_device_release() at file close. Move the teardown of the user structure — freeing pending contexts, maps, mmaps, and the channel context reference — into the kref release callback fastrpc_user_free(), so that it runs only when the last reference is dropped, regardless of whether that happens at device close or after the final in-flight context completes.

CVSS v3
7.8
EG Score
7.8(high)
EPSS
3.3%
KEV
Not listed

Published

June 25, 2026

Last Modified

July 6, 2026

Advisory Details (8)

Auto-updated Jun 28, 2026
No patch confirmed yet.
generic

misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/fbe0947420eec18a84638d29468c2d563ce4e6a3
generic

misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/ecea4967c2bff92c2fafbc59893f711b39f7b152
generic

misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/e85eb5feca8e254905ffa6c57a3c99c89a674a0f
generic

misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/e1e3a05efe5954d5bad01157d79429d39a67a7ae
generic

misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/df08fadcf0e5f3708365ec3b6d30b5aafd98bea1
generic

misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/d42679eef34dd590b694ce3b666c5e2ba10cd4bf
generic

misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/c6e5c2be09f814377d7f1ce97370a5b7b3e02814
generic

misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/5278ccd357e0d7aeeb1e76c0f3e0e02894a9897c

Vendor Advisories for CVE-2026-53161(2)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Weakness Classification(1)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

Data Freshness Timeline

(refreshed 47× in last 7d / 66× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-06 20:27 UTCEG score recompute
  2. 2026-07-06 20:27 UTCVendor advisory
  3. 2026-07-06 20:26 UTCGHSA enrichment
  4. 2026-07-06 07:15 UTCEG score recompute
  5. 2026-07-06 07:15 UTCVendor advisory
  6. 2026-07-06 07:15 UTCGHSA enrichment
  7. 2026-07-06 02:23 UTCEPSS rescore
  8. 2026-07-06 02:23 UTCEPSS rescore
  9. 2026-07-05 18:07 UTCEG score recompute
  10. 2026-07-05 18:07 UTCVendor advisory
  11. 2026-07-05 18:07 UTCGHSA enrichment
  12. 2026-07-05 04:58 UTCEG score recompute
  13. 2026-07-05 04:58 UTCVendor advisory
  14. 2026-07-05 04:58 UTCGHSA enrichment
  15. 2026-07-05 02:31 UTCEPSS rescore
  16. 2026-07-05 02:30 UTCEPSS rescore
  17. 2026-07-04 15:30 UTCEG score recompute
  18. 2026-07-04 15:30 UTCVendor advisory
  19. 2026-07-04 15:30 UTCGHSA enrichment
  20. 2026-07-04 06:31 UTCEPSS rescore
  21. 2026-07-04 06:31 UTCEPSS rescore
  22. 2026-07-04 02:23 UTCEG score recompute
  23. 2026-07-04 02:23 UTCVendor advisory
  24. 2026-07-04 02:23 UTCGHSA enrichment
  25. 2026-07-03 13:15 UTCEG score recompute
Show 41 more
  1. 2026-07-03 13:15 UTCVendor advisory
  2. 2026-07-03 13:15 UTCGHSA enrichment
  3. 2026-07-03 00:08 UTCEG score recompute
  4. 2026-07-03 00:08 UTCVendor advisory
  5. 2026-07-03 00:08 UTCGHSA enrichment
  6. 2026-07-02 11:00 UTCEG score recompute
  7. 2026-07-02 11:00 UTCVendor advisory
  8. 2026-07-02 11:00 UTCGHSA enrichment
  9. 2026-07-01 21:28 UTCEG score recompute
  10. 2026-07-01 21:28 UTCVendor advisory
  11. 2026-07-01 21:28 UTCGHSA enrichment
  12. 2026-07-01 15:07 UTCEPSS rescore
  13. 2026-07-01 08:21 UTCEG score recompute
  14. 2026-07-01 08:21 UTCVendor advisory
  15. 2026-07-01 08:21 UTCGHSA enrichment
  16. 2026-06-30 23:22 UTCEPSS rescore
  17. 2026-06-30 19:14 UTCEG score recompute
  18. 2026-06-30 19:14 UTCVendor advisory
  19. 2026-06-30 19:13 UTCGHSA enrichment
  20. 2026-06-30 06:06 UTCEG score recompute
  21. 2026-06-30 06:06 UTCVendor advisory
  22. 2026-06-30 06:06 UTCGHSA enrichment
  23. 2026-06-29 16:59 UTCEG score recompute
  24. 2026-06-29 16:59 UTCVendor advisory
  25. 2026-06-29 16:58 UTCGHSA enrichment
  26. 2026-06-29 14:06 UTCEPSS rescore
  27. 2026-06-29 14:06 UTCEPSS rescore
  28. 2026-06-29 03:51 UTCEG score recompute
  29. 2026-06-29 03:51 UTCVendor advisory
  30. 2026-06-29 03:51 UTCGHSA enrichment
  31. 2026-06-28 14:34 UTCEG score recompute 7.80
  32. 2026-06-28 14:34 UTCVendor advisory
  33. 2026-06-28 14:34 UTCGHSA enrichment
  34. 2026-06-28 14:07 UTCEPSS rescore
  35. 2026-06-28 07:52 UTCMITRE cvelistV5CVSS v3 → 7.8 · severity → HIGH
  36. 2026-06-28 04:56 UTCEPSS rescore
  37. 2026-06-28 04:56 UTCEPSS rescore
  38. 2026-06-27 03:08 UTCEPSS rescore
  39. 2026-06-25 13:49 UTCEPSS rescore
  40. 2026-06-25 10:09 UTCEG score recompute
  41. 2026-06-25 10:09 UTCGHSA enrichment

Frequently asked(5)

What is CVE-2026-53161?
CVE-2026-53161 is a high vulnerability published on June 25, 2026. In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context There is a race between fastrpcdevicerelease() and the workqueue that processes DSP responses. When the user closes the file descriptor, fastrpcdevicerelease()…
When was CVE-2026-53161 disclosed?
CVE-2026-53161 was first published in the National Vulnerability Database on June 25, 2026, with the most recent update on July 6, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-53161 actively exploited?
CVE-2026-53161 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 3.3% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-53161?
CVE-2026-53161 has a CVSS v3 base score of 7.8 (NVD).
How do I remediate CVE-2026-53161?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-53161, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-53161

Explore →

Is Your Infrastructure Affected by CVE-2026-53161?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.