CVE-2026-53047 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved:

efi/capsule-loader: fix incorrect sizeof in phys array reallocation

The krealloc() call for cap_info->phys in __efi_capsule_setup_info() uses
sizeof(phys_addr_t *) instead of sizeof(phys_addr_t), which might be
causing an undersized allocation.

The allocation is also inconsistent with the initial array allocation in
efi_capsule_open() that allocates one entry with sizeof(phys_addr_t),
and the efi_capsule_write() function that stores phys_addr_t values (not
pointers) via page_to_phys().

On 64-bit systems where sizeof(phys_addr_t) == sizeof(phys_addr_t *), this
goes unnoticed. On 32-bit systems with PAE where phys_addr_t is 64-bit but
pointers are 32-bit, this allocates half the required space, which might
lead to a heap buffer overflow when storing physical addresses.

This is similar to the bug fixed in commit fccfa646ef36 ("efi/capsule-loader:
fix incorrect allocation size") which fixed the same issue at the initial
allocation site.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`f24c4d478013d82bd1b943df566fff3561d52864`	affected	< 22022cd8851703a58f67615a17bc7e9e8682785b
`f24c4d478013d82bd1b943df566fff3561d52864`	affected	< 67adde6bfdfd563a54b045d59aeb9a2d90c80697
`f24c4d478013d82bd1b943df566fff3561d52864`	affected	< 608e1f7bc9d171ab26c1fba288c97fc76363c27d
`f24c4d478013d82bd1b943df566fff3561d52864`	affected	< 8be69e9245f805566bac68ffc8574b64735fd996
`f24c4d478013d82bd1b943df566fff3561d52864`	affected	< 5e185330d902b12fe8e6eb4b8514b5d736d8d66d
`f24c4d478013d82bd1b943df566fff3561d52864`	affected	< e0e6b14995fd6fa2c0df8c712d76ab32f0694c31
`f24c4d478013d82bd1b943df566fff3561d52864`	affected	< ab3f7098a3a27175b91cfc947950f5c26855801b
`f24c4d478013d82bd1b943df566fff3561d52864`	affected	< 48a428215782321b56956974f23593e40ce84b7a
`95a362c9a6892085f714eb6e31eea6a0e3aa93bf`	affected	—
`4.14.13`	affected	< 4.15

Linux

affected

Version	Status	Constraints
`4.15`	affected	—
`0`	unaffected	< 4.15
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.141`	unaffected	≤ 6.6.*
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

Project Subscriptions

Vendors	Products
Linux Subscribe	Linux Kernel Subscribe

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://git.kernel.org/stable/c/22022cd8851703a58f67615a17bc7e9e8682785b
https://git.kernel.org/stable/c/48a428215782321b56956974f23593e40ce84b7a
https://git.kernel.org/stable/c/5e185330d902b12fe8e6eb4b8514b5d736d8d66d
https://git.kernel.org/stable/c/608e1f7bc9d171ab26c1fba288c97fc76363c27d
https://git.kernel.org/stable/c/67adde6bfdfd563a54b045d59aeb9a2d90c80697
https://git.kernel.org/stable/c/8be69e9245f805566bac68ffc8574b64735fd996
https://git.kernel.org/stable/c/ab3f7098a3a27175b91cfc947950f5c26855801b
https://git.kernel.org/stable/c/e0e6b14995fd6fa2c0df8c712d76ab32f0694c31

History

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: efi/capsule-loader: fix incorrect sizeof in phys array reallocation The krealloc() call for cap_info->phys in __efi_capsule_setup_info() uses sizeof(phys_addr_t ) instead of sizeof(phys_addr_t), which might be causing an undersized allocation. The allocation is also inconsistent with the initial array allocation in efi_capsule_open() that allocates one entry with sizeof(phys_addr_t), and the efi_capsule_write() function that stores phys_addr_t values (not pointers) via page_to_phys(). On 64-bit systems where sizeof(phys_addr_t) == sizeof(phys_addr_t ), this goes unnoticed. On 32-bit systems with PAE where phys_addr_t is 64-bit but pointers are 32-bit, this allocates half the required space, which might lead to a heap buffer overflow when storing physical addresses. This is similar to the bug fixed in commit fccfa646ef36 ("efi/capsule-loader: fix incorrect allocation size") which fixed the same issue at the initial allocation site.
Title		efi/capsule-loader: fix incorrect sizeof in phys array reallocation
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/22022cd8851703a58f67615a17bc7e9e8682785b https://git.kernel.org/stable/c/48a428215782321b56956974f23593e40ce84b7a https://git.kernel.org/stable/c/5e185330d902b12fe8e6eb4b8514b5d736d8d66d https://git.kernel.org/stable/c/608e1f7bc9d171ab26c1fba288c97fc76363c27d https://git.kernel.org/stable/c/67adde6bfdfd563a54b045d59aeb9a2d90c80697 https://git.kernel.org/stable/c/8be69e9245f805566bac68ffc8574b64735fd996 https://git.kernel.org/stable/c/ab3f7098a3a27175b91cfc947950f5c26855801b https://git.kernel.org/stable/c/e0e6b14995fd6fa2c0df8c712d76ab32f0694c31

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:29:53.491Z

Updated: 2026-06-24T16:29:53.491Z

Reserved: 2026-06-09T07:44:35.381Z

Link: CVE-2026-53047

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

No weakness.

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object