CVE-2026-53304 in Linux
Summary
by MITRE • 06/26/2026
In the Linux kernel, the following vulnerability has been resolved:
scsi: sg: Resolve soft lockup issue when opening /dev/sgX
The parameter def_reserved_size defines the default buffer size reserved for each Sg_fd and should be restricted to a range between 0 and 1,048,576 (see https://tldp.org/HOWTO/SCSI-Generic-HOWTO/proc.html). Although the function sg_proc_write_dressz enforces this limit, it is possible to bypass it by directly modifying the module parameter as shown below, which then causes a soft lockup:
echo -1 > /sys/module/sg/parameters/def_reserved_size exec 4<> /dev/sg0
watchdog: BUG: soft lockup - CPU#5 stuck for 26 seconds! [bash:537]
Modules loaded: CPU: 5 UID: 0 PID: 537 Command: bash, kernel version 6.19.0-rc3+ #134, PREEMPT disabled Hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS version 1.16.1-2.fc37 dated 04/01/2014 ... Call Trace:
sg_build_reserve+0x5c/0xa0 sg_add_sfp+0x168/0x270 sg_open+0x16e/0x340 chrdev_open+0xbe/0x230 do_dentry_open+0x175/0x480 vfs_open+0x34/0xf0 do_open+0x265/0x3d0 path_openat+0x110/0x290 do_filp_open+0xc3/0x170 do_sys_openat2+0x71/0xe0 __x64_sys_openat+0x6d/0xa0 do_syscall_64+0x62/0x310 entry_SYSCALL_64_after_hwframe+0x76/0x7e
The fix is to use module_param_cb to validate and reject invalid values assigned to def_reserved_size.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/26/2026
The vulnerability described involves a critical flaw in the Linux kernel's SCSI generic (sg) subsystem that can lead to system instability through soft lockup conditions. This issue specifically affects the /dev/sgX device handling mechanism where the module parameter def_reserved_size controls buffer allocation for each Sg_fd structure. The parameter should logically be constrained between 0 and 1,048,576 bytes according to standard SCSI generic documentation practices, yet a bypass mechanism exists that allows arbitrary negative values to be assigned directly through sysfs interface.
The technical exploitation occurs when an attacker or malicious process directly modifies the module parameter via echo -1 > /sys/module/sg/parameters/def_reserved_size without proper validation. This direct parameter manipulation circumvents the existing sg_proc_write_dressz function which was designed to enforce the size limits, creating a path for malformed buffer allocations that ultimately result in system lockup conditions. The call trace demonstrates the execution flow leading to kernel panic through sg_build_reserve function where insufficient bounds checking causes the system to become unresponsive.
This vulnerability represents a classic example of improper input validation and privilege escalation within kernel space operations, aligning with CWE-129: Improper Validation of Array Index and CWE-20: Improper Input Validation categories. The attack vector specifically follows ATT&CK technique T1068: Exploitation for Privilege Escalation by leveraging kernel module parameter manipulation to achieve system-level compromise. The soft lockup condition manifests as a watchdog-triggered system halt where CPU#5 remains stuck for extended periods, indicating the kernel's inability to properly handle the invalid buffer allocation scenario.
The fix implements module_param_cb which provides callback-based validation for module parameters, ensuring that any assignment to def_reserved_size undergoes proper validation before being accepted. This approach prevents direct sysfs manipulation from bypassing validation checks and enforces consistent parameter boundaries across all code paths. The solution addresses the root cause by implementing proper input sanitization at the parameter registration level rather than relying on post-assignment validation functions that can be circumvented through direct interface access.
The operational impact of this vulnerability extends beyond simple system stability concerns to encompass potential denial-of-service scenarios that could affect critical infrastructure systems relying on SCSI storage operations. Systems with multiple SCSI devices or those operating in high-availability environments face significant risk from this flaw, as it can cause complete system lockup without proper recovery mechanisms. The vulnerability particularly affects systems running kernel versions where the sg module is active and accessible through standard sysfs interfaces.
Security implications of this issue demonstrate a failure in kernel module parameter validation that could enable unauthorized users to destabilize systems through carefully crafted buffer size manipulations. The bypass mechanism highlights the importance of defense-in-depth approaches where multiple validation layers protect against single points of failure in kernel subsystems. This vulnerability underscores the need for comprehensive input validation not just at user-space interfaces but also at kernel module parameter level to prevent arbitrary code execution or system lockup conditions.