Linux Kernel: ZRAM Use-After-Free in zram_bvec_write_partial()
CVE-2026-53185 Published on June 25, 2026

zram: fix use-after-free in zram_bvec_write_partial()
In the Linux kernel, the following vulnerability has been resolved: zram: fix use-after-free in zram_bvec_write_partial() zram_read_page() picks the sync or async backing device read path based on whether the parent bio is NULL. zram_bvec_write_partial() passes its parent bio down, so for ZRAM_WB slots the read is dispatched asynchronously and zram_read_page() returns 0 while the bio is still in flight. The caller then runs memcpy_from_bvec(), zram_write_page() and __free_page() on the buffer, leaving the async read to write into a freed page. zram_bvec_read_partial() was switched to NULL in commit 4e3c87b9421d ("zram: fix synchronous reads") for the same reason; the write_partial counterpart was missed.

NVD

Vulnerability Analysis

CVE-2026-53185 can be exploited with local system access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
LOCAL
Attack Complexity:
HIGH
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

Signal Handler Race Condition

The software uses a signal handler that introduces a race condition.


Products Associated with CVE-2026-53185

stack.watch emails you whenever new vulnerabilities are published in Linux Kernel or Red Hat Enterprise Linux (RHEL). Just hit a watch button to start following.

 
 

Affected Versions

Linux: Linux: Red Hat Enterprise Linux 10: Red Hat Enterprise Linux 8: Red Hat Enterprise Linux 9: Red Hat Enterprise Linux 6: Red Hat Enterprise Linux 7: