CVE-2026-53243

rseq: Fix using an uninitialized stack variable in rseq_exit_user_update()

Assigner: Linux
Reserved: 09.06.2026 Published: 25.06.2026 Updated: 25.06.2026

In the Linux kernel, the following vulnerability has been resolved:

rseq: Fix using an uninitialized stack variable in rseq_exit_user_update()

There is an bug in which an uninitialized stack variable is used in rseq_exit_user_update() as reported by syzbot:

BUG: KMSAN: kernel-infoleak in rseq_set_ids_get_csaddr include/linux/rseq_entry.h:502 [inline]

The local variable:

<pre>

struct rseq_ids ids = {
    .cpu_id  = task_cpu(t),
    .mm_cid  = task_mm_cid(t),
    .node_id = cpu_to_node(ids.cpu_id),
};

</pre>

According to the C standard, the evaluation order of expressions in an initializer list is indeterminately sequenced. The compiler (Clang, in this KMSAN build) evaluates cpu_to_node(ids.cpu_id) before ids.cpu_id is initialized with task_cpu(t).

This is fixed by moving the assignment of ids.node_id outside the structure initialization.

Product Status

Vendor	Linux
Product	Linux
Versions	Default: unaffected affected from d242126fd21ab8f1631fdbc8589e43a9d4229f3b to e12d20a63b61aaf9de4772effccf42cc9a003e58 (excl.) affected from 82f572449cfe75f12ea985986da60e11f308f77d to 6d99479799c69c3cb588fcda19c81d8f61d64ecd (excl.)

Vendor

Linux

Product

Linux

Versions

Default: unaffected

affected from d242126fd21ab8f1631fdbc8589e43a9d4229f3b to e12d20a63b61aaf9de4772effccf42cc9a003e58 (excl.)
affected from 82f572449cfe75f12ea985986da60e11f308f77d to 6d99479799c69c3cb588fcda19c81d8f61d64ecd (excl.)

Vendor	Linux
Product	Linux
Versions	Default: unaffected affected from 7.0.10 to 7.0.13 (excl.)

Vendor

Linux

Product

Linux

Versions

Default: unaffected

affected from 7.0.10 to 7.0.13 (excl.)

References

CVE-2026-53243 PUBLISHED

rseq: Fix using an uninitialized stack variable in rseq_exit_user_update()

Product Status

References