CVE Catalog

CVE-2026-53120

Low risk· EPSS 5%
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.16%

5th percentile - higher than 5% of all known CVEs

Summary

A use-after-free (UAF) vulnerability was found in the Linux kernel's PCI driver_override mechanism. The issue occurs because the match() function accesses the driver_override field without holding the device lock, leading to a race condition. The fix replaces the custom implementation with the kernel's generic driver_override infrastructure that handles locking properly.

Risk Assessment

An attacker could exploit this vulnerability to gain unauthorized access to kernel memory, potentially leading to privilege escalation or system instability. The risk is particularly high in multi-tenant and virtualized environments.

Recommendation

Immediately update the Linux kernel to a version containing the fix (commit PCI: use generic driver_override infrastructure). Monitor official security advisories from your Linux distribution.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: PCI: use generic driver_override infrastructure When a driver is probed through __driver_attach(), the bus' match() callback is called without the device lock held, thus accessing the driver_override field without a lock, which can cause a UAF. Fix this by using the driver-core driver_override infrastructure taking care of proper locking internally. Note that calling match() from __driver_attach() without the device lock held is intentional. [1]

Vulnerability data from NVD (NIST) · CISA KEV · EPSS