CVE-2026-53159 in Linux
Summary
by MITRE • 06/25/2026
In the Linux kernel, the following vulnerability has been resolved:
misc: fastrpc: fix DMA address corruption due to find_vma misuse
fastrpc_get_args() uses find_vma() to look up the VMA for a user-provided pointer and compute a DMA address offset. When the address falls in a gap before the returned VMA, (ptr & PAGE_MASK) - vma->vm_start underflows, corrupting the DMA address sent to the DSP.
Replace find_vma() with vma_lookup(), which returns NULL when the address is not contained within any VMA.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/25/2026
The vulnerability identified in the Linux kernel's fastrpc subsystem represents a critical memory management flaw that could lead to arbitrary code execution or system instability. This issue specifically affects the fastrpc driver component responsible for communication between application processors and digital signal processors in mobile and embedded systems. The flaw stems from improper handling of virtual memory area lookups during DMA address calculation, creating a scenario where kernel memory corruption can occur through user-controlled inputs.
The technical root cause involves the misuse of the find_vma() kernel function within the fastrpc_get_args() routine. When processing user-provided pointers for DMA operations, the driver attempts to locate the corresponding virtual memory area using find_vma(), which returns a pointer to the first VMA that starts at or after the given address. However, when the user pointer falls within a gap between VMAs, the calculation (ptr & PAGE_MASK) - vma->vm_start produces an underflow condition due to improper boundary checking. This mathematical error results in incorrect DMA address computation that can overwrite kernel memory locations or corrupt data structures used for DSP communication, fundamentally compromising system security and stability.
The operational impact of this vulnerability extends beyond simple memory corruption, as it creates potential attack vectors for privilege escalation and denial-of-service conditions. An attacker with access to the fastrpc interface could exploit this flaw by providing carefully crafted user pointers that trigger the underflow condition during DMA address calculation. This type of vulnerability aligns with CWE-129 Input Validation and CWE-787 Out-of-bounds Write, representing a classic case where insufficient boundary checking leads to memory corruption. The ATT&CK framework categorizes this as a privilege escalation technique through kernel exploitability, potentially allowing attackers to execute arbitrary code with kernel privileges.
The fix implemented addresses the core issue by replacing find_vma() with vma_lookup(), which provides more precise VMA containment checking. Unlike find_vma() that returns the first VMA starting at or after an address, vma_lookup() specifically checks if an address falls within any existing VMA range and returns NULL when no such containment exists. This change ensures that when a user pointer lies in a memory gap, the driver properly handles the NULL return value rather than proceeding with invalid address calculations. The mitigation approach follows established kernel security principles for memory management operations and aligns with best practices for preventing buffer overflows and memory corruption in kernel-space drivers. This remediation specifically addresses the vulnerability through proper input validation and boundary checking, ensuring that DMA address computations only proceed when valid VMA mappings exist for the provided user pointers. The solution demonstrates a fundamental understanding of Linux kernel memory management mechanisms and their secure implementation patterns.