CVE-2026-53160 in Linux
Summary
by MITRE • 06/25/2026
In the Linux kernel, the following vulnerability has been resolved:
misc: fastrpc: fix use-after-free race in fastrpc_map_create
fastrpc_map_lookup returns a raw pointer after releasing fl->lock. The caller fastrpc_map_create then calls fastrpc_map_get (kref_get_unless_zero) on this unprotected pointer. A concurrent MEM_UNMAP can free the map between the lock release and the kref operation, resulting in a use-after-free on the freed slab object.
Restore the take_ref parameter to fastrpc_map_lookup so the reference is acquired atomically under fl->lock before the pointer is exposed to the caller.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/25/2026
The vulnerability resides within the Linux kernel's fastrpc subsystem which handles remote procedure calls for Qualcomm SoC platforms. This particular issue manifests as a use-after-free race condition that occurs during memory management operations within the fastrpc_map_create function. The flaw demonstrates a classic concurrency problem where proper synchronization mechanisms fail to protect shared data structures during critical execution paths.
The technical implementation involves the fastrpc_map_lookup function which returns a raw pointer to a memory mapping structure after releasing an internal lock mechanism. This design creates a temporal window where another concurrent thread can execute a MEM_UNMAP operation that frees the very object the first thread intends to reference. The subsequent call to fastrpc_map_get through kref_get_unless_zero operates on this unprotected pointer, leading to undefined behavior when accessing freed memory resources. This type of vulnerability falls under CWE-367 which specifically addresses time-of-check to time-of-use race conditions.
The operational impact of this vulnerability extends beyond simple memory corruption as it creates potential attack vectors for privilege escalation and system instability. An attacker could exploit this race condition to execute arbitrary code within kernel space or cause denial of service through controlled memory corruption patterns. The vulnerability affects systems utilizing Qualcomm's fastrpc framework particularly those implementing remote processor communication mechanisms, making it relevant to automotive infotainment systems, mobile devices, and embedded platforms.
The mitigation strategy involves restoring the take_ref parameter to fastrpc_map_lookup function which ensures that reference acquisition occurs atomically under the protection of fl->lock before exposing the pointer to callers. This approach aligns with established security practices for concurrent data structure access and follows ATT&CK technique T1068 which covers privilege escalation through kernel vulnerabilities. The fix essentially eliminates the temporal gap between lock release and pointer usage by ensuring atomic reference counting operations, thereby preventing the concurrent free operation from interfering with legitimate memory access patterns.
This type of vulnerability demonstrates the complexity inherent in kernel-level concurrency control where traditional synchronization mechanisms must account for the specific timing requirements of reference counting operations. The solution represents a fundamental architectural improvement that prevents similar race conditions from manifesting in other parts of the kernel's memory management subsystem, providing a robust foundation for secure concurrent operations in embedded and mobile computing environments where fastrpc functionality is critical for system performance and reliability.