Linux Kernel UAF via may_decode_fh() RCU Race
CVE-2026-53341 Published on July 1, 2026
fhandle: fix UAF due to unlocked ->mnt_ns read in may_decode_fh()
In the Linux kernel, the following vulnerability has been resolved:
fhandle: fix UAF due to unlocked ->mnt_ns read in may_decode_fh()
may_decode_fh() accesses mount::mnt_ns without holding any locks; that
means the mount can concurrently be unmounted, and the mnt_namespace can
concurrently be freed after an RCU grace period.
This race can happens as follows, assuming that the mount point was
created by open_tree(..., OPEN_TREE_CLONE):
thread 1 thread 2 RCU
__do_sys_open_by_handle_at
do_handle_open
handle_to_path
may_decode_fh
is_mounted
[mount::mnt_ns access]
[mount::mnt_ns access]
__do_sys_close
fput_close_sync
__fput
dissolve_on_fput
umount_tree
class_namespace_excl_destructor
namespace_unlock
free_mnt_ns
mnt_ns_tree_remove
call_rcu(mnt_ns_release_rcu)
mnt_ns_release_rcu
mnt_ns_release
kfree
[mnt_namespace::user_ns access] **UAF**
Fix it by taking rcu_read_lock() around the mount::mnt_ns access, like
in __prepend_path().
Additionally, document the semantics of mount::mnt_ns, and use WRITE_ONCE()
for writers that can race with lockless readers.
This bug is unreachable unless one of the following is set:
- CONFIG_PREEMPTION
- CONFIG_RCU_STRICT_GRACE_PERIOD
because it requires an RCU grace period to happen during a syscall without
an explicit preemption.
This doesn't seem to have interesting security impact; worst-case, it could
leak the result of an integer comparison to userspace (from the level
check in cap_capable()), cause an endless loop, or crash the kernel by
dereferencing an invalid address.
Products Associated with CVE-2026-53341
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version 620c266f394932e5decc4b34683a75dfc59dc2f4 and below 15ea8dc42a02259d49dee38a658d40f60fcd75ed is affected.
- Version 620c266f394932e5decc4b34683a75dfc59dc2f4 and below 32138633e51e6db59e474765cf93268c92b42888 is affected.
- Version 620c266f394932e5decc4b34683a75dfc59dc2f4 and below a8ed2c29fcfdac78db96c9da4e659c8a513f2a94 is affected.
- Version 620c266f394932e5decc4b34683a75dfc59dc2f4 and below 40ab6644b99685755f740b872c00ef40d9aa870e is affected.
- Version 6.11 is affected.
- Before 6.11 is unaffected.
- Version 6.12.95, <= 6.12.* is unaffected.
- Version 6.18.36, <= 6.18.* is unaffected.
- Version 7.0.13, <= 7.0.* is unaffected.
- Version 7.1, <= * is unaffected.