CVE-2026-53304

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
26/06/2026
Last modified:
30/06/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: sg: Resolve soft lockup issue when opening /dev/sgX<br /> <br /> The parameter def_reserved_size defines the default buffer size reserved<br /> for each Sg_fd and should be restricted to a range between 0 and 1,048,576<br /> (see https://tldp.org/HOWTO/SCSI-Generic-HOWTO/proc.html). Although the<br /> function sg_proc_write_dressz enforces this limit, it is possible to bypass<br /> it by directly modifying the module parameter as shown below, which then<br /> causes a soft lockup:<br /> <br /> echo -1 &gt; /sys/module/sg/parameters/def_reserved_size<br /> exec 4 /dev/sg0<br /> <br /> watchdog: BUG: soft lockup - CPU#5 stuck for 26 seconds! [bash:537]<br /> Modules loaded:<br /> CPU: 5 UID: 0 PID: 537 Command: bash, kernel version 6.19.0-rc3+ #134,<br /> PREEMPT disabled<br /> Hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS version<br /> 1.16.1-2.fc37 dated 04/01/2014<br /> ...<br /> Call Trace:<br /> <br /> sg_build_reserve+0x5c/0xa0<br /> sg_add_sfp+0x168/0x270<br /> sg_open+0x16e/0x340<br /> chrdev_open+0xbe/0x230<br /> do_dentry_open+0x175/0x480<br /> vfs_open+0x34/0xf0<br /> do_open+0x265/0x3d0<br /> path_openat+0x110/0x290<br /> do_filp_open+0xc3/0x170<br /> do_sys_openat2+0x71/0xe0<br /> __x64_sys_openat+0x6d/0xa0<br /> do_syscall_64+0x62/0x310<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> The fix is to use module_param_cb to validate and reject invalid values<br /> assigned to def_reserved_size.

Impact