CVE-2026-53161 in Linux
Summary
by MITRE • 06/25/2026
In the Linux kernel, the following vulnerability has been resolved:
misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context
There is a race between fastrpc_device_release() and the workqueue that processes DSP responses. When the user closes the file descriptor, fastrpc_device_release() frees the fastrpc_user structure. Concurrently, an in-flight DSP invocation can complete and fastrpc_rpmsg_callback() schedules context cleanup via schedule_work(&ctx->put_work). If the workqueue runs fastrpc_context_free() in parallel with or after fastrpc_device_release() has freed the user structure, it dereferences the freed fastrpc_user. Depending on the state of the context at the time of the race, any one of the following accesses can be hit:
1. fastrpc_buf_free() calls fastrpc_ipa_to_dma_addr(buf->fl->cctx, ...) to strip the SID bits from the stored IOVA before passing the physical address to dma_free_coherent().
2. fastrpc_free_map() reads map->fl->cctx->vmperms[0].vmid to
reconstruct the source permission bitmask needed for the qcom_scm_assign_mem() call that returns memory from the DSP VM back to HLOS.
3. fastrpc_free_map() acquires map->fl->lock to safely remove the map node from the fl->maps list.
The resulting use-after-free manifests as:
pc : fastrpc_buf_free+0x38/0x80 [fastrpc]
lr : fastrpc_context_free+0xa8/0x1b0 [fastrpc]
fastrpc_context_free+0xa8/0x1b0 [fastrpc]
fastrpc_context_put_wq+0x78/0xa0 [fastrpc]
process_one_work+0x180/0x450 worker_thread+0x26c/0x388
Add kref-based reference counting to fastrpc_user. Have each invoke context take a reference on the user at allocation time and release it when the context is freed. Release the initial reference in fastrpc_device_release() at file close. Move the teardown of the user structure — freeing pending contexts, maps, mmaps, and the channel context reference — into the kref release callback fastrpc_user_free(), so that it runs only when the last reference is dropped, regardless of whether that happens at device close or after the final in-flight context completes.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/25/2026
The vulnerability described represents a critical use-after-free condition within the Qualcomm fastrpc driver component of the Linux kernel, specifically affecting the interaction between device release operations and asynchronous workqueue processing. This flaw occurs in the context of remote processor messaging infrastructure where the fastrpc_user structure is freed during file descriptor closure while concurrent DSP response processing may still be active. The race condition manifests when fastrpc_device_release() executes concurrently with workqueue callbacks that process completed DSP invocations, creating a scenario where memory deallocation conflicts with ongoing access patterns.
The technical implementation of this vulnerability stems from improper synchronization between the device cleanup path and asynchronous context handling mechanisms. When a user closes the file descriptor associated with the fastrpc device, the fastrpc_device_release() function immediately frees the fastrpc_user structure while workqueue callbacks may still be scheduled to process responses from in-flight DSP operations. The fastrpc_rpmsg_callback function schedules cleanup work via schedule_work(&ctx->put_work) which eventually executes fastrpc_context_free() in a separate workqueue context. This asynchronous execution creates a window where the freed fastrpc_user structure may still be accessed by cleanup routines that attempt to dereference pointers within the freed memory region.
The specific memory access patterns that trigger this use-after-free involve three distinct code paths within the cleanup functions. First, fastrpc_buf_free() attempts to strip SID bits from IOVA addresses before passing physical addresses to dma_free_coherent(), requiring access to the freed user structure's context information. Second, fastrpc_free_map() reads vmperms[0].vmid to reconstruct permission bitmasks needed for qcom_scm_assign_mem() calls that return DSP memory back to the HLOS, again accessing the freed structure members. Third, fastrpc_free_map() acquires map->fl->lock to safely remove map nodes from lists, which requires valid access to the freed user context's lock management structures. These access patterns demonstrate the severity of the vulnerability as they represent fundamental data structures that control memory management and permission handling within the driver.
The exploitation of this vulnerability follows a predictable execution path where the kernel stack trace shows fastrpc_buf_free() calling into fastrpc_context_free() which then invokes the workqueue processing function process_one_work(), ultimately leading to worker_thread execution. This represents a classic race condition scenario where memory deallocation and access operations occur in parallel without proper synchronization mechanisms, potentially leading to memory corruption, system instability, or privilege escalation depending on the specific memory layout and timing conditions.
The proposed solution implements a kref-based reference counting mechanism to properly manage the lifecycle of fastrpc_user structures. This approach ensures that each invoke context maintains an active reference to the user structure during its operational lifetime, while the initial reference is released only at device close time. The implementation moves all teardown operations including pending context cleanup, map removal, mmap handling, and channel context deallocation into the kref release callback fastrpc_user_free(), guaranteeing that destruction occurs only when the last reference is dropped. This architectural change aligns with common kernel patterns for managing object lifecycles and follows established security practices for preventing use-after-free vulnerabilities.
This vulnerability type maps directly to CWE-416, Use After Free, which is categorized under the broader class of memory safety issues in software development. The fix addresses fundamental concurrency control problems that are also relevant to ATT&CK framework concepts related to privilege escalation and system stability manipulation. The solution demonstrates proper defensive programming practices by implementing reference counting mechanisms that prevent premature deallocation while maintaining the expected functionality of the driver interface, ensuring that memory operations remain synchronized with their usage patterns throughout the system's execution lifecycle.
The implementation of this fix represents a robust approach to addressing concurrent access issues in kernel drivers and aligns with best practices for managing shared resources across asynchronous processing paths. The kref mechanism provides an elegant solution to the race condition by creating explicit ownership semantics that prevent the premature freeing of objects while allowing them to be cleaned up only when no longer referenced by any active processing path. This approach prevents the scenario where cleanup operations might attempt to access freed memory while ensuring that all resources are properly released when the final reference is dropped, regardless of whether this occurs during normal device closure or after asynchronous context completion.