{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-53067", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-06-09T07:44:35.382Z", "datePublished": "2026-06-24T16:30:09.492Z", "dateUpdated": "2026-06-24T16:30:09.492Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-06-24T16:30:09.492Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: pci-ep-msi: Fix error unwind and prevent double alloc\n\npci_epf_alloc_doorbell() stores the allocated doorbell message array in\nepf->db_msg/epf->num_db before requesting MSI vectors. If MSI allocation\nfails, the array is freed but the EPF state may still point to freed\nmemory.\n\nClear epf->db_msg and epf->num_db on the MSI allocation failure path so\nthat later cleanup cannot double-free the array and callers can retry\nallocation.\n\nAlso return -EBUSY when doorbells have already been allocated to prevent\nleaking or overwriting an existing allocation."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/pci/endpoint/pci-ep-msi.c"], "versions": [{"version": "1c3b002c6bf684b445a7107609979bca5f21bc03", "lessThan": "175717cfc06cab79f84cd037d66dda1b8564cd9e", "status": "affected", "versionType": "git"}, {"version": "1c3b002c6bf684b445a7107609979bca5f21bc03", "lessThan": "3c25587fbf8797b92090b064a6d239a873e55fb1", "status": "affected", "versionType": "git"}, {"version": "1c3b002c6bf684b445a7107609979bca5f21bc03", "lessThan": "1cba96c0a795124c3229293ed7b5b5765e66f259", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/pci/endpoint/pci-ep-msi.c"], "versions": [{"version": "6.17", "status": "affected"}, {"version": "0", "lessThan": "6.17", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.33", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.10", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17", "versionEndExcluding": "6.18.33"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17", "versionEndExcluding": "7.0.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17", "versionEndExcluding": "7.1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/175717cfc06cab79f84cd037d66dda1b8564cd9e"}, {"url": "https://git.kernel.org/stable/c/3c25587fbf8797b92090b064a6d239a873e55fb1"}, {"url": "https://git.kernel.org/stable/c/1cba96c0a795124c3229293ed7b5b5765e66f259"}], "title": "PCI: endpoint: pci-ep-msi: Fix error unwind and prevent double alloc", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{}

{"bugzilla": {"description": "kernel: PCI: endpoint: pci-ep-msi: Fix error unwind and prevent double alloc", "id": "2492399", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492399"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-1341", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nPCI: endpoint: pci-ep-msi: Fix error unwind and prevent double alloc\npci_epf_alloc_doorbell() stores the allocated doorbell message array in\nepf->db_msg/epf->num_db before requesting MSI vectors. If MSI allocation\nfails, the array is freed but the EPF state may still point to freed\nmemory.\nClear epf->db_msg and epf->num_db on the MSI allocation failure path so\nthat later cleanup cannot double-free the array and callers can retry\nallocation.\nAlso return -EBUSY when doorbells have already been allocated to prevent\nleaking or overwriting an existing allocation.", "A flaw was found in the Linux kernel's PCI (Peripheral Component Interconnect) endpoint Message Signaled Interrupts (MSI) doorbell allocation. When MSI allocation fails, the system may attempt to free already freed memory, leading to a double-free vulnerability. This issue can result in memory corruption or a denial of service (DoS) condition, making the system unstable or unresponsive. Additionally, improper handling of already allocated doorbells could lead to memory leaks or overwriting existing allocations."], "name": "CVE-2026-53067", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-06-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-53067\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-53067\nhttps://lore.kernel.org/linux-cve-announce/2026062403-CVE-2026-53067-ec86@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1c3b002c6bf684b445a7107609979bca5f21bc03,175717cfc06cab79f84cd037d66dda1b8564cd9e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1c3b002c6bf684b445a7107609979bca5f21bc03,3c25587fbf8797b92090b064a6d239a873e55fb1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1c3b002c6bf684b445a7107609979bca5f21bc03,1cba96c0a795124c3229293ed7b5b5765e66f259)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.17"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.17)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.33,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0.10,7.1.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.1,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "created": "2026-06-24T19:30:08.641596+00:00", "updated": "2026-06-27T02:45:09.243947+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-1341", "CWE-415", "CWE-416"]}