Concurrent List Del can corrupt LRU links in Linux Kernel (mm/list_lru)
CVE-2026-53153 Published on June 25, 2026
mm/list_lru: drain before clearing xarray entry on reparent
In the Linux kernel, the following vulnerability has been resolved:
mm/list_lru: drain before clearing xarray entry on reparent
memcg_reparent_list_lrus() clears the dying memcg's xarray entry with
xas_store(&xas, NULL) before reparenting its per-node lists into the
parent. This opens a window where a concurrent list_lru_del() arriving
for the dying memcg sees xa_load() == NULL, walks to the parent in
lock_list_lru_of_memcg(), takes the parent's per-node lock, and calls
list_del_init() on an item still physically linked on the dying memcg's
list.
If another in-flight thread holds the dying memcg's per-node lock at the
same moment (another list_lru_del, or a list_lru_walk_one running an
isolate callback), both threads modify ->next/->prev pointers on the same
physical list under different locks. Adjacent items can corrupt each
other's links.
Fix it by reversing the order: reparent each per-node list and mark the
child's list lru dead and then clear the xarray entry. Any concurrent
list_lru op that finds the still-set xarray entry either takes the dying
memcg's per-node lock (synchronizing with the drain) or sees LONG_MIN and
walks to the parent, where the items now live.
Vulnerability Analysis
CVE-2026-53153 can be exploited with local system access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
Missing Synchronization
The software utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource. If access to a shared resource is not synchronized, then the resource may not be in a state that is expected by the software. This might lead to unexpected or insecure behaviors, especially if an attacker can influence the shared resource.
Products Associated with CVE-2026-53153
stack.watch emails you whenever new vulnerabilities are published in Linux Kernel or Red Hat Enterprise Linux (RHEL). Just hit a watch button to start following.
Affected Versions
Linux:- Version fb56fdf8b9a2f7397f8a83dce50189f3f0cf71af and below c19ff4351214f059349788e13e70e74325831ff6 is affected.
- Version fb56fdf8b9a2f7397f8a83dce50189f3f0cf71af and below 2b66496d794e98f7aeec7688573051f22ec40bac is affected.
- Version fb56fdf8b9a2f7397f8a83dce50189f3f0cf71af and below 98733f3f0becb1ae0701d021c1748e974e5fa55c is affected.
- Version 6.13 is affected.
- Before 6.13 is unaffected.
- Version 6.18.36, <= 6.18.* is unaffected.
- Version 7.0.13, <= 7.0.* is unaffected.
- Version 7.1, <= * is unaffected.