Home

Description

In the Linux kernel, the following vulnerability has been resolved: futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock When FUTEX_CMP_REQUEUE_PI requeues a non-top waiter that already owns the target PI futex, task_blocks_on_rt_mutex() returns -EDEADLK before setting waiter->task. The subsequent remove_waiter() in rt_mutex_start_proxy_lock() dereferences the NULL waiter->task, causing a kernel crash. Add a self-deadlock check for non-top waiters before calling rt_mutex_start_proxy_lock(), analogous to the top-waiter check in futex_lock_pi_atomic().

PUBLISHED Reserved 2026-06-09 | Published 2026-06-25 | Updated 2026-06-25 | Assigner Linux

Product status

Default status
unaffected

3fb7394a837740770f0d6b4b30567e60786a63f2 (git) before 16f8e17184b31382076f84751db5ac51fc02733e
affected

88614876370aac8ad1050ad785a4c095ba17ac11 (git) before 1f2f3f3eacd6653ab215c5d2ea70811148d433fc
affected

3bfdc63936dd4773109b7b8c280c0f3b5ae7d349 (git) before 74e144274af39935b0f410c0ee4d2b91c3730414
affected

d8cce4773c2b23d819baf5abedc62f7b430e8745 (git)
affected

8a1fc8d698ac5e5916e3082a0f74450d71f9611f (git)
affected

6d52dfcb2a5db86e346cf51f8fcf2071b8085166 (git)
affected

6.1.175 (semver) before 6.2
affected

6.6.140 (semver) before 6.7
affected

6.12.86 (semver) before 6.13
affected

Default status
unaffected

6.18.27 (semver) before 6.18.36
affected

7.0.4 (semver) before 7.0.13
affected

References

git.kernel.org/...c/16f8e17184b31382076f84751db5ac51fc02733e

git.kernel.org/...c/1f2f3f3eacd6653ab215c5d2ea70811148d433fc

git.kernel.org/...c/74e144274af39935b0f410c0ee4d2b91c3730414

cve.org (CVE-2026-53166)

nvd.nist.gov (CVE-2026-53166)

Download JSON