CVE-2026-53116
- Source
- https://cve.org/CVERecord?id=CVE-2026-53116
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-53116.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-53116
- Downstream
- Published
- 2026-06-24T16:30:47.982Z
- Modified
- 2026-06-26T12:06:23.548459978Z
- Summary
- s390/ap: use generic driver_override infrastructure
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
s390/ap: use generic driver_override infrastructure
When the AP masks are updated via apmaskstore() or aqmaskstore(), apbusrevisebindings() is called after apattr_mutex has been released.
This calls _aprevisereserved(), which accesses the driveroverride field without holding any lock, racing against a concurrent driveroverridestore() that may free the old string, resulting in a potential UAF.
Fix this by using the driver-core driver_override infrastructure, which protects all accesses with an internal spinlock.
Note that unlike most other buses, the AP bus does not check driveroverride in its match() callback; the override is checked in apdevice_probe() and __aprevisereserved() instead.
Also note that we do not enable the driveroverride feature of struct bustype, as AP - in contrast to most other buses - passes "" to sysfsemit() when the driveroverride pointer is NULL. Thus, printing "\n" instead of "(null)\n".
Additionally, AP has a custom counter that is modified in the corresponding custom driveroverridestore().
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53116.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/81d6f7c3a70b10ff757ee8b5f8114a190871cf1e
- https://git.kernel.org/stable/c/8f2eca0570438b94602da1297353eb7b10dcb6cb
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53116.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-53116
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git