2492735 – (CVE-2026-53185) CVE-2026-53185 kernel: zram: fix use-after-free in zram_bvec_write_partial()

Bug 2492735 (CVE-2026-53185) - CVE-2026-53185 kernel: zram: fix use-after-free in zram_bvec_write_partial()

Summary: CVE-2026-53185 kernel: zram: fix use-after-free in zram_bvec_write_partial()

Keywords:
Status:	NEW
Alias:	CVE-2026-53185
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-06-25 10:02 UTC by OSIDB Bzimport
Modified:	2026-06-25 22:13 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-06-25 10:02:59 UTC

In the Linux kernel, the following vulnerability has been resolved:

zram: fix use-after-free in zram_bvec_write_partial()

zram_read_page() picks the sync or async backing device read path based on
whether the parent bio is NULL.  zram_bvec_write_partial() passes its
parent bio down, so for ZRAM_WB slots the read is dispatched
asynchronously and zram_read_page() returns 0 while the bio is still in
flight.  The caller then runs memcpy_from_bvec(), zram_write_page() and
__free_page() on the buffer, leaving the async read to write into a freed
page.

zram_bvec_read_partial() was switched to NULL in commit 4e3c87b9421d
("zram: fix synchronous reads") for the same reason; the write_partial
counterpart was missed.

Comment 1 Keith Grant 2026-06-25 22:12:06 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026062556-CVE-2026-53185-0922@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.