CVE-2026-53314

Public on 2026-06-26
Modified on 2026-07-03
Description
In the Linux kernel, the following vulnerability has been resolved:

padata: Put CPU offline callback in ONLINE section to allow failure

syzbot reported the following warning:

DEAD callback error for CPU1
WARNING: kernel/cpu.c:1463 at _cpu_down+0x759/0x1020 kernel/cpu.c:1463, CPU#0: syz.0.1960/14614

at commit 4ae12d8bd9a8 ("Merge tag 'kbuild-fixes-7.0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/kbuild/linux")
which tglx traced to padata_cpu_dead() given it's the only
sub-CPUHP_TEARDOWN_CPU callback that returns an error.

Failure isn't allowed in hotplug states before CPUHP_TEARDOWN_CPU
so move the CPU offline callback to the ONLINE section where failure is
possible.
Severity
Medium severity
Medium
See what this means
CVSS v3 Base Score
5.5
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Kernel-5.10 Extra kernel Pending Fix
Amazon Linux 2 - Kernel-5.15 Extra kernel Pending Fix
Amazon Linux 2 - Kernel-5.4 Extra kernel Pending Fix
Amazon Linux 2 - Core kernel Not Affected
Amazon Linux 2023 kernel Pending Fix
Amazon Linux 2023 kernel6.12 Pending Fix
Amazon Linux 2023 kernel6.18 Pending Fix

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H