CVE-2026-53118
Low risk· EPSS 5%Exploitation Probability (EPSS)
Low risk5th percentile - higher than 5% of all known CVEs
Summary
In the Linux kernel, a vulnerability was found in the vdpa subsystem due to using a custom driver_override mechanism, causing a race condition and potential use-after-free (UAF) when the match() function is called without holding the device lock. The fix switches to the generic driver_override infrastructure that handles proper internal locking.
Risk Assessment
An attacker could exploit this vulnerability to access freed memory (UAF), potentially leading to privilege escalation or system instability.
Recommendation
Immediately update the Linux kernel to a version containing the fix (commit addressing the issue). Monitor official security advisories from your Linux distribution.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: vdpa: use generic driver_override infrastructure When a driver is probed through __driver_attach(), the bus' match() callback is called without the device lock held, thus accessing the driver_override field without a lock, which can cause a UAF. Fix this by using the driver-core driver_override infrastructure taking care of proper locking internally. Note that calling match() from __driver_attach() without the device lock held is intentional. [1]

