CVE Catalog

CVE-2026-53047

Unknown
Published: Translated: NVD NIST

Summary

A vulnerability has been identified in the Linux kernel related to incorrect allocation size in the krealloc() function for cap_info->phys. This issue may lead to insufficient memory allocation, which on 32-bit PAE systems can result in a heap buffer overflow.

Risk Assessment

Organizations may be exposed to attacks exploiting this vulnerability, potentially leading to unauthorized memory access and system crashes.

Recommendation

It is recommended to update the Linux kernel to the latest version to mitigate this vulnerability and to monitor systems for potential exploits.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: efi/capsule-loader: fix incorrect sizeof in phys array reallocation The krealloc() call for cap_info->phys in __efi_capsule_setup_info() uses sizeof(phys_addr_t *) instead of sizeof(phys_addr_t), which might be causing an undersized allocation. The allocation is also inconsistent with the initial array allocation in efi_capsule_open() that allocates one entry with sizeof(phys_addr_t), and the efi_capsule_write() function that stores phys_addr_t values (not pointers) via page_to_phys(). On 64-bit systems where sizeof(phys_addr_t) == sizeof(phys_addr_t *), this goes unnoticed. On 32-bit systems with PAE where phys_addr_t is 64-bit but pointers are 32-bit, this allocates half the required space, which might lead to a heap buffer overflow when storing physical addresses. This is similar to the bug fixed in commit fccfa646ef36 ("efi/capsule-loader: fix incorrect allocation size") which fixed the same issue at the initial allocation site.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS