CVE-2026-53166
futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock
Description
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
INFO
Published Date :
June 25, 2026, 9:16 a.m.
Last Modified :
July 10, 2026, 12:17 p.m.
Remotely Exploit :
No
Source :
416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | MEDIUM | [email protected] |
Solution
- Apply the Linux kernel patch for futex/requeue.
- Add self-deadlock check before calling rt_mutex_start_proxy_lock.
- Ensure waiter->task is not NULL in remove_waiter.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-53166 vulnerability anywhere in the article.
-
The Hacker News
15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros
Researchers at Nebula Security have disclosed GhostLock (CVE-2026-43499), a 15-year-old Linux kernel flaw that lets any logged-in user take full root control of a machine that has not been patched. Th ... Read more
The following table lists the changes that have been made to the
CVE-2026-53166 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Rejected by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Jul. 10, 2026
Action Type Old Value New Value -
CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Jul. 10, 2026
Action Type Old Value New Value Changed Description In the Linux kernel, the following vulnerability has been resolved: futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock When FUTEX_CMP_REQUEUE_PI requeues a non-top waiter that already owns the target PI futex, task_blocks_on_rt_mutex() returns -EDEADLK before setting waiter->task. The subsequent remove_waiter() in rt_mutex_start_proxy_lock() dereferences the NULL waiter->task, causing a kernel crash. Add a self-deadlock check for non-top waiters before calling rt_mutex_start_proxy_lock(), analogous to the top-waiter check in futex_lock_pi_atomic(). Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. Removed CVSS V3.1 NIST: AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Removed CWE NIST: CWE-476 Removed CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.1:rc4:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.6.140 up to (excluding) 6.7 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.1.175 up to (excluding) 6.2 *cpe:2.3:o:linux:linux_kernel:7.1:rc5:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.1:rc6:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.12.86 up to (excluding) 6.13 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.18.27 up to (excluding) 6.18.36 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 7.0.4 up to (excluding) 7.0.13 Removed Reference kernel.org: https://git.kernel.org/stable/c/16f8e17184b31382076f84751db5ac51fc02733e Removed Reference kernel.org: https://git.kernel.org/stable/c/1f2f3f3eacd6653ab215c5d2ea70811148d433fc Removed Reference kernel.org: https://git.kernel.org/stable/c/74e144274af39935b0f410c0ee4d2b91c3730414 Removed Reference Type kernel.org: https://git.kernel.org/stable/c/16f8e17184b31382076f84751db5ac51fc02733e Types: Patch Removed Reference Type kernel.org: https://git.kernel.org/stable/c/1f2f3f3eacd6653ab215c5d2ea70811148d433fc Types: Patch Removed Reference Type kernel.org: https://git.kernel.org/stable/c/74e144274af39935b0f410c0ee4d2b91c3730414 Types: Patch Removed Affected [{'repo': 'https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git', 'vendor': 'Linux', 'product': 'Linux', 'versions': [{'status': 'affected', 'version': '3fb7394a837740770f0d6b4b30567e60786a63f2', 'lessThan': '16f8e17184b31382076f84751db5ac51fc02733e', 'versionType': 'git'}, {'status': 'affected', 'version': '88614876370aac8ad1050ad785a4c095ba17ac11', 'lessThan': '1f2f3f3eacd6653ab215c5d2ea70811148d433fc', 'versionType': 'git'}, {'status': 'affected', 'version': '3bfdc63936dd4773109b7b8c280c0f3b5ae7d349', 'lessThan': '74e144274af39935b0f410c0ee4d2b91c3730414', 'versionType': 'git'}, {'status': 'affected', 'version': 'd8cce4773c2b23d819baf5abedc62f7b430e8745', 'versionType': 'git'}, {'status': 'affected', 'version': '8a1fc8d698ac5e5916e3082a0f74450d71f9611f', 'versionType': 'git'}, {'status': 'affected', 'version': '6d52dfcb2a5db86e346cf51f8fcf2071b8085166', 'versionType': 'git'}, {'status': 'affected', 'version': '6.1.175', 'lessThan': '6.2', 'versionType': 'semver'}, {'status': 'affected', 'version': '6.6.140', 'lessThan': '6.7', 'versionType': 'semver'}, {'status': 'affected', 'version': '6.12.86', 'lessThan': '6.13', 'versionType': 'semver'}], 'programFiles': ['kernel/futex/requeue.c'], 'defaultStatus': 'unaffected'}, {'repo': 'https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git', 'vendor': 'Linux', 'product': 'Linux', 'versions': [{'status': 'affected', 'version': '6.18.27', 'lessThan': '6.18.36', 'versionType': 'semver'}, {'status': 'affected', 'version': '7.0.4', 'lessThan': '7.0.13', 'versionType': 'semver'}], 'programFiles': ['kernel/futex/requeue.c'], 'defaultStatus': 'unaffected'}] -
Initial Analysis by [email protected]
Jul. 07, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Added CWE CWE-476 Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.1:rc4:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.6.140 up to (excluding) 6.7 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.1.175 up to (excluding) 6.2 *cpe:2.3:o:linux:linux_kernel:7.1:rc5:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.1:rc6:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.12.86 up to (excluding) 6.13 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.18.27 up to (excluding) 6.18.36 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 7.0.4 up to (excluding) 7.0.13 Added Reference Type kernel.org: https://git.kernel.org/stable/c/16f8e17184b31382076f84751db5ac51fc02733e Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/1f2f3f3eacd6653ab215c5d2ea70811148d433fc Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/74e144274af39935b0f410c0ee4d2b91c3730414 Types: Patch -
New CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Jun. 25, 2026
Action Type Old Value New Value Added Affected [{'repo': 'https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git', 'vendor': 'Linux', 'product': 'Linux', 'versions': [{'status': 'affected', 'version': '3fb7394a837740770f0d6b4b30567e60786a63f2', 'lessThan': '16f8e17184b31382076f84751db5ac51fc02733e', 'versionType': 'git'}, {'status': 'affected', 'version': '88614876370aac8ad1050ad785a4c095ba17ac11', 'lessThan': '1f2f3f3eacd6653ab215c5d2ea70811148d433fc', 'versionType': 'git'}, {'status': 'affected', 'version': '3bfdc63936dd4773109b7b8c280c0f3b5ae7d349', 'lessThan': '74e144274af39935b0f410c0ee4d2b91c3730414', 'versionType': 'git'}, {'status': 'affected', 'version': 'd8cce4773c2b23d819baf5abedc62f7b430e8745', 'versionType': 'git'}, {'status': 'affected', 'version': '8a1fc8d698ac5e5916e3082a0f74450d71f9611f', 'versionType': 'git'}, {'status': 'affected', 'version': '6d52dfcb2a5db86e346cf51f8fcf2071b8085166', 'versionType': 'git'}, {'status': 'affected', 'version': '6.1.175', 'lessThan': '6.2', 'versionType': 'semver'}, {'status': 'affected', 'version': '6.6.140', 'lessThan': '6.7', 'versionType': 'semver'}, {'status': 'affected', 'version': '6.12.86', 'lessThan': '6.13', 'versionType': 'semver'}], 'programFiles': ['kernel/futex/requeue.c'], 'defaultStatus': 'unaffected'}, {'repo': 'https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git', 'vendor': 'Linux', 'product': 'Linux', 'versions': [{'status': 'affected', 'version': '6.18.27', 'lessThan': '6.18.36', 'versionType': 'semver'}, {'status': 'affected', 'version': '7.0.4', 'lessThan': '7.0.13', 'versionType': 'semver'}], 'programFiles': ['kernel/futex/requeue.c'], 'defaultStatus': 'unaffected'}] Added Description In the Linux kernel, the following vulnerability has been resolved: futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock When FUTEX_CMP_REQUEUE_PI requeues a non-top waiter that already owns the target PI futex, task_blocks_on_rt_mutex() returns -EDEADLK before setting waiter->task. The subsequent remove_waiter() in rt_mutex_start_proxy_lock() dereferences the NULL waiter->task, causing a kernel crash. Add a self-deadlock check for non-top waiters before calling rt_mutex_start_proxy_lock(), analogous to the top-waiter check in futex_lock_pi_atomic(). Added Reference https://git.kernel.org/stable/c/16f8e17184b31382076f84751db5ac51fc02733e Added Reference https://git.kernel.org/stable/c/1f2f3f3eacd6653ab215c5d2ea70811148d433fc Added Reference https://git.kernel.org/stable/c/74e144274af39935b0f410c0ee4d2b91c3730414