CVE-2026-53160
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk3th percentile — higher than 3% of all known CVEs
Summary
A use-after-free vulnerability was found in the Linux kernel's fastrpc driver. The fastrpc_map_lookup function returns a raw pointer after releasing the lock, and the caller fastrpc_map_create attempts to increment the reference count on this unprotected pointer. A concurrent MEM_UNMAP operation can free the map between the lock release and the increment, leading to use-after-free.
Risk Assessment
An attacker could exploit this vulnerability to access already freed kernel memory, potentially leading to privilege escalation or information disclosure.
Recommendation
It is recommended to immediately update the Linux kernel to a version containing the fix that restores the take_ref parameter in fastrpc_map_lookup so that the reference is acquired atomically under the lock.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: fix use-after-free race in fastrpc_map_create fastrpc_map_lookup returns a raw pointer after releasing fl->lock. The caller fastrpc_map_create then calls fastrpc_map_get (kref_get_unless_zero) on this unprotected pointer. A concurrent MEM_UNMAP can free the map between the lock release and the kref operation, resulting in a use-after-free on the freed slab object. Restore the take_ref parameter to fastrpc_map_lookup so the reference is acquired atomically under fl->lock before the pointer is exposed to the caller.

