GHSA-5f39-wjpq-xrrjunknown
In the Linux kernel, the following vulnerability has been resolved: futex/requeue: Prevent NULL...
🔗 CVE IDs covered (1)
📋 Description
In the Linux kernel, the following vulnerability has been resolved:
futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock
When FUTEX_CMP_REQUEUE_PI requeues a non-top waiter that already owns the target PI futex, task_blocks_on_rt_mutex() returns -EDEADLK before setting waiter->task.
The subsequent remove_waiter() in rt_mutex_start_proxy_lock() dereferences the NULL waiter->task, causing a kernel crash.
Add a self-deadlock check for non-top waiters before calling rt_mutex_start_proxy_lock(), analogous to the top-waiter check in futex_lock_pi_atomic().
🔗 References (5)
- https://nvd.nist.gov/vuln/detail/CVE-2026-53166
- https://git.kernel.org/stable/c/16f8e17184b31382076f84751db5ac51fc02733e
- https://git.kernel.org/stable/c/1f2f3f3eacd6653ab215c5d2ea70811148d433fc
- https://git.kernel.org/stable/c/74e144274af39935b0f410c0ee4d2b91c3730414
- https://github.com/advisories/GHSA-5f39-wjpq-xrrj