CVE-2026-53166 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved:

futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock

When FUTEX_CMP_REQUEUE_PI requeues a non-top waiter that already owns the
target PI futex, task_blocks_on_rt_mutex() returns -EDEADLK before setting
waiter->task.

The subsequent remove_waiter() in rt_mutex_start_proxy_lock() dereferences
the NULL waiter->task, causing a kernel crash.

Add a self-deadlock check for non-top waiters before calling
rt_mutex_start_proxy_lock(), analogous to the top-waiter check in
futex_lock_pi_atomic().

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00173.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`3fb7394a837740770f0d6b4b30567e60786a63f2`	affected	< 16f8e17184b31382076f84751db5ac51fc02733e
`88614876370aac8ad1050ad785a4c095ba17ac11`	affected	< 1f2f3f3eacd6653ab215c5d2ea70811148d433fc
`3bfdc63936dd4773109b7b8c280c0f3b5ae7d349`	affected	< 74e144274af39935b0f410c0ee4d2b91c3730414
`d8cce4773c2b23d819baf5abedc62f7b430e8745`	affected	—
`8a1fc8d698ac5e5916e3082a0f74450d71f9611f`	affected	—
`6d52dfcb2a5db86e346cf51f8fcf2071b8085166`	affected	—
`6.1.175`	affected	< 6.2
`6.6.140`	affected	< 6.7
`6.12.86`	affected	< 6.13

Linux

unaffected

Version	Status	Constraints
`6.18.27`	affected	< 6.18.36
`7.0.4`	affected	< 7.0.13

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Linux Subscribe	Linux Kernel Subscribe

Project Subscriptions

Vendors	Products
Linux Subscribe	Linux Kernel Subscribe

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://git.kernel.org/stable/c/16f8e17184b31382076f84751db5ac51fc02733e
https://git.kernel.org/stable/c/1f2f3f3eacd6653ab215c5d2ea70811148d433fc
https://git.kernel.org/stable/c/74e144274af39935b0f410c0ee4d2b91c3730414

History

Thu, 25 Jun 2026 12:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock When FUTEX_CMP_REQUEUE_PI requeues a non-top waiter that already owns the target PI futex, task_blocks_on_rt_mutex() returns -EDEADLK before setting waiter->task. The subsequent remove_waiter() in rt_mutex_start_proxy_lock() dereferences the NULL waiter->task, causing a kernel crash. Add a self-deadlock check for non-top waiters before calling rt_mutex_start_proxy_lock(), analogous to the top-waiter check in futex_lock_pi_atomic().
Title		futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/16f8e17184b31382076f84751db5ac51fc02733e https://git.kernel.org/stable/c/1f2f3f3eacd6653ab215c5d2ea70811148d433fc https://git.kernel.org/stable/c/74e144274af39935b0f410c0ee4d2b91c3730414

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:38:46.089Z

Updated: 2026-06-25T08:38:46.089Z

Reserved: 2026-06-09T07:44:35.389Z

Link: CVE-2026-53166

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T14:30:05Z

Weaknesses

CWE-476

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object