5.5
MEDIUM CVSS 3.1
CVE-2026-53166
futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock
Description

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

INFO

Published Date :

June 25, 2026, 9:16 a.m.

Last Modified :

July 10, 2026, 12:17 p.m.

Remotely Exploit :

No

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67
Affected Products

The following products are affected by CVE-2026-53166 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Linux linux_kernel
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 MEDIUM [email protected]
Solution
Patch the Linux kernel to prevent NULL pointer dereference in remove_waiter.
  • Apply the Linux kernel patch for futex/requeue.
  • Add self-deadlock check before calling rt_mutex_start_proxy_lock.
  • Ensure waiter->task is not NULL in remove_waiter.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-53166 vulnerability anywhere in the article.

  • The Hacker News
15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros

Researchers at Nebula Security have disclosed GhostLock (CVE-2026-43499), a 15-year-old Linux kernel flaw that lets any logged-in user take full root control of a machine that has not been patched. Th ... Read more

Published Date: Jul 08, 2026 (1 week ago)

The following table lists the changes that have been made to the CVE-2026-53166 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Rejected by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Jul. 10, 2026

    Action Type Old Value New Value
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Jul. 10, 2026

    Action Type Old Value New Value
    Changed Description In the Linux kernel, the following vulnerability has been resolved: futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock When FUTEX_CMP_REQUEUE_PI requeues a non-top waiter that already owns the target PI futex, task_blocks_on_rt_mutex() returns -EDEADLK before setting waiter->task. The subsequent remove_waiter() in rt_mutex_start_proxy_lock() dereferences the NULL waiter->task, causing a kernel crash. Add a self-deadlock check for non-top waiters before calling rt_mutex_start_proxy_lock(), analogous to the top-waiter check in futex_lock_pi_atomic(). Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
    Removed CVSS V3.1 NIST: AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
    Removed CWE NIST: CWE-476
    Removed CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.1:rc4:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.6.140 up to (excluding) 6.7 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.1.175 up to (excluding) 6.2 *cpe:2.3:o:linux:linux_kernel:7.1:rc5:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.1:rc6:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.12.86 up to (excluding) 6.13 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.18.27 up to (excluding) 6.18.36 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 7.0.4 up to (excluding) 7.0.13
    Removed Reference kernel.org: https://git.kernel.org/stable/c/16f8e17184b31382076f84751db5ac51fc02733e
    Removed Reference kernel.org: https://git.kernel.org/stable/c/1f2f3f3eacd6653ab215c5d2ea70811148d433fc
    Removed Reference kernel.org: https://git.kernel.org/stable/c/74e144274af39935b0f410c0ee4d2b91c3730414
    Removed Reference Type kernel.org: https://git.kernel.org/stable/c/16f8e17184b31382076f84751db5ac51fc02733e Types: Patch
    Removed Reference Type kernel.org: https://git.kernel.org/stable/c/1f2f3f3eacd6653ab215c5d2ea70811148d433fc Types: Patch
    Removed Reference Type kernel.org: https://git.kernel.org/stable/c/74e144274af39935b0f410c0ee4d2b91c3730414 Types: Patch
    Removed Affected [{'repo': 'https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git', 'vendor': 'Linux', 'product': 'Linux', 'versions': [{'status': 'affected', 'version': '3fb7394a837740770f0d6b4b30567e60786a63f2', 'lessThan': '16f8e17184b31382076f84751db5ac51fc02733e', 'versionType': 'git'}, {'status': 'affected', 'version': '88614876370aac8ad1050ad785a4c095ba17ac11', 'lessThan': '1f2f3f3eacd6653ab215c5d2ea70811148d433fc', 'versionType': 'git'}, {'status': 'affected', 'version': '3bfdc63936dd4773109b7b8c280c0f3b5ae7d349', 'lessThan': '74e144274af39935b0f410c0ee4d2b91c3730414', 'versionType': 'git'}, {'status': 'affected', 'version': 'd8cce4773c2b23d819baf5abedc62f7b430e8745', 'versionType': 'git'}, {'status': 'affected', 'version': '8a1fc8d698ac5e5916e3082a0f74450d71f9611f', 'versionType': 'git'}, {'status': 'affected', 'version': '6d52dfcb2a5db86e346cf51f8fcf2071b8085166', 'versionType': 'git'}, {'status': 'affected', 'version': '6.1.175', 'lessThan': '6.2', 'versionType': 'semver'}, {'status': 'affected', 'version': '6.6.140', 'lessThan': '6.7', 'versionType': 'semver'}, {'status': 'affected', 'version': '6.12.86', 'lessThan': '6.13', 'versionType': 'semver'}], 'programFiles': ['kernel/futex/requeue.c'], 'defaultStatus': 'unaffected'}, {'repo': 'https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git', 'vendor': 'Linux', 'product': 'Linux', 'versions': [{'status': 'affected', 'version': '6.18.27', 'lessThan': '6.18.36', 'versionType': 'semver'}, {'status': 'affected', 'version': '7.0.4', 'lessThan': '7.0.13', 'versionType': 'semver'}], 'programFiles': ['kernel/futex/requeue.c'], 'defaultStatus': 'unaffected'}]
  • Initial Analysis by [email protected]

    Jul. 07, 2026

    Action Type Old Value New Value
    Added CVSS V3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
    Added CWE CWE-476
    Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.1:rc4:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.6.140 up to (excluding) 6.7 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.1.175 up to (excluding) 6.2 *cpe:2.3:o:linux:linux_kernel:7.1:rc5:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.1:rc6:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.12.86 up to (excluding) 6.13 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.18.27 up to (excluding) 6.18.36 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 7.0.4 up to (excluding) 7.0.13
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/16f8e17184b31382076f84751db5ac51fc02733e Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/1f2f3f3eacd6653ab215c5d2ea70811148d433fc Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/74e144274af39935b0f410c0ee4d2b91c3730414 Types: Patch
  • New CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Jun. 25, 2026

    Action Type Old Value New Value
    Added Affected [{'repo': 'https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git', 'vendor': 'Linux', 'product': 'Linux', 'versions': [{'status': 'affected', 'version': '3fb7394a837740770f0d6b4b30567e60786a63f2', 'lessThan': '16f8e17184b31382076f84751db5ac51fc02733e', 'versionType': 'git'}, {'status': 'affected', 'version': '88614876370aac8ad1050ad785a4c095ba17ac11', 'lessThan': '1f2f3f3eacd6653ab215c5d2ea70811148d433fc', 'versionType': 'git'}, {'status': 'affected', 'version': '3bfdc63936dd4773109b7b8c280c0f3b5ae7d349', 'lessThan': '74e144274af39935b0f410c0ee4d2b91c3730414', 'versionType': 'git'}, {'status': 'affected', 'version': 'd8cce4773c2b23d819baf5abedc62f7b430e8745', 'versionType': 'git'}, {'status': 'affected', 'version': '8a1fc8d698ac5e5916e3082a0f74450d71f9611f', 'versionType': 'git'}, {'status': 'affected', 'version': '6d52dfcb2a5db86e346cf51f8fcf2071b8085166', 'versionType': 'git'}, {'status': 'affected', 'version': '6.1.175', 'lessThan': '6.2', 'versionType': 'semver'}, {'status': 'affected', 'version': '6.6.140', 'lessThan': '6.7', 'versionType': 'semver'}, {'status': 'affected', 'version': '6.12.86', 'lessThan': '6.13', 'versionType': 'semver'}], 'programFiles': ['kernel/futex/requeue.c'], 'defaultStatus': 'unaffected'}, {'repo': 'https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git', 'vendor': 'Linux', 'product': 'Linux', 'versions': [{'status': 'affected', 'version': '6.18.27', 'lessThan': '6.18.36', 'versionType': 'semver'}, {'status': 'affected', 'version': '7.0.4', 'lessThan': '7.0.13', 'versionType': 'semver'}], 'programFiles': ['kernel/futex/requeue.c'], 'defaultStatus': 'unaffected'}]
    Added Description In the Linux kernel, the following vulnerability has been resolved: futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock When FUTEX_CMP_REQUEUE_PI requeues a non-top waiter that already owns the target PI futex, task_blocks_on_rt_mutex() returns -EDEADLK before setting waiter->task. The subsequent remove_waiter() in rt_mutex_start_proxy_lock() dereferences the NULL waiter->task, causing a kernel crash. Add a self-deadlock check for non-top waiters before calling rt_mutex_start_proxy_lock(), analogous to the top-waiter check in futex_lock_pi_atomic().
    Added Reference https://git.kernel.org/stable/c/16f8e17184b31382076f84751db5ac51fc02733e
    Added Reference https://git.kernel.org/stable/c/1f2f3f3eacd6653ab215c5d2ea70811148d433fc
    Added Reference https://git.kernel.org/stable/c/74e144274af39935b0f410c0ee4d2b91c3730414
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.