Bug 2492767 (CVE-2026-53243) - CVE-2026-53243 kernel: rseq: Fix using an uninitialized stack variable in rseq_exit_user_update()
Summary: CVE-2026-53243 kernel: rseq: Fix using an uninitialized stack variable in rse...
Keywords:
Status: NEW
Alias: CVE-2026-53243
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-25 10:04 UTC by OSIDB Bzimport
Modified: 2026-06-26 09:08 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-25 10:04:40 UTC
In the Linux kernel, the following vulnerability has been resolved:

rseq: Fix using an uninitialized stack variable in rseq_exit_user_update()

There is an bug in which an uninitialized stack variable is used in
rseq_exit_user_update() as reported by syzbot:

BUG: KMSAN: kernel-infoleak in rseq_set_ids_get_csaddr include/linux/rseq_entry.h:502 [inline]

The local variable:

	struct rseq_ids ids = {
		.cpu_id	 = task_cpu(t),
		.mm_cid	 = task_mm_cid(t),
		.node_id = cpu_to_node(ids.cpu_id),
	};

According to the C standard, the evaluation order of expressions in an
initializer list is indeterminately sequenced. The compiler (Clang, in
this KMSAN build) evaluates `cpu_to_node(ids.cpu_id)` *before*
`ids.cpu_id` is initialized with `task_cpu(t)`.

This is fixed by moving the assignment of ids.node_id outside the
structure initialization.


Note You need to log in before you can comment on or make changes to this bug.