CVE-2026-53210
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk3th percentile — higher than 3% of all known CVEs
Summary
A shared memory (shm) leak was found in the register_shm_helper() function of the TEE driver in the Linux kernel. When iov_iter_npages() returns 0, the function jumps to err_ctx_put, skipping the deallocation of previously allocated shm. The issue can be triggered by TEE_IOC_SHM_REGISTER with zero data length.
Risk Assessment
The memory leak could lead to exhaustion of system resources, potentially causing denial of service (DoS) for other processes using TEE shared memory.
Recommendation
Immediately update the Linux kernel to a version containing the fix (commit that changes the jump to err_free_shm instead of err_ctx_put).
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: tee: shm: fix shm leak in register_shm_helper() register_shm_helper() allocates shm before calling iov_iter_npages(). If iov_iter_npages() returns 0, the function jumps to err_ctx_put and leaks shm. This can be triggered by TEE_IOC_SHM_REGISTER with struct tee_ioctl_shm_register_data where length is 0. Jump to err_free_shm instead.

