{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-53047","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-06-09T07:44:35.381Z","datePublished":"2026-06-24T16:29:53.491Z","dateUpdated":"2026-06-24T16:29:53.491Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-06-24T16:29:53.491Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nefi/capsule-loader: fix incorrect sizeof in phys array reallocation\n\nThe krealloc() call for cap_info->phys in __efi_capsule_setup_info() uses\nsizeof(phys_addr_t *) instead of sizeof(phys_addr_t), which might be\ncausing an undersized allocation.\n\nThe allocation is also inconsistent with the initial array allocation in\nefi_capsule_open() that allocates one entry with sizeof(phys_addr_t),\nand the efi_capsule_write() function that stores phys_addr_t values (not\npointers) via page_to_phys().\n\nOn 64-bit systems where sizeof(phys_addr_t) == sizeof(phys_addr_t *), this\ngoes unnoticed. On 32-bit systems with PAE where phys_addr_t is 64-bit but\npointers are 32-bit, this allocates half the required space, which might\nlead to a heap buffer overflow when storing physical addresses.\n\nThis is similar to the bug fixed in commit fccfa646ef36 (\"efi/capsule-loader:\nfix incorrect allocation size\") which fixed the same issue at the initial\nallocation site."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/firmware/efi/capsule-loader.c"],"versions":[{"version":"f24c4d478013d82bd1b943df566fff3561d52864","lessThan":"22022cd8851703a58f67615a17bc7e9e8682785b","status":"affected","versionType":"git"},{"version":"f24c4d478013d82bd1b943df566fff3561d52864","lessThan":"67adde6bfdfd563a54b045d59aeb9a2d90c80697","status":"affected","versionType":"git"},{"version":"f24c4d478013d82bd1b943df566fff3561d52864","lessThan":"608e1f7bc9d171ab26c1fba288c97fc76363c27d","status":"affected","versionType":"git"},{"version":"f24c4d478013d82bd1b943df566fff3561d52864","lessThan":"8be69e9245f805566bac68ffc8574b64735fd996","status":"affected","versionType":"git"},{"version":"f24c4d478013d82bd1b943df566fff3561d52864","lessThan":"5e185330d902b12fe8e6eb4b8514b5d736d8d66d","status":"affected","versionType":"git"},{"version":"f24c4d478013d82bd1b943df566fff3561d52864","lessThan":"e0e6b14995fd6fa2c0df8c712d76ab32f0694c31","status":"affected","versionType":"git"},{"version":"f24c4d478013d82bd1b943df566fff3561d52864","lessThan":"ab3f7098a3a27175b91cfc947950f5c26855801b","status":"affected","versionType":"git"},{"version":"f24c4d478013d82bd1b943df566fff3561d52864","lessThan":"48a428215782321b56956974f23593e40ce84b7a","status":"affected","versionType":"git"},{"version":"95a362c9a6892085f714eb6e31eea6a0e3aa93bf","status":"affected","versionType":"git"},{"version":"4.14.13","lessThan":"4.15","status":"affected","versionType":"semver"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/firmware/efi/capsule-loader.c"],"versions":[{"version":"4.15","status":"affected"},{"version":"0","lessThan":"4.15","status":"unaffected","versionType":"semver"},{"version":"5.10.258","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.209","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.175","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.141","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.91","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.33","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"5.10.258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"5.15.209"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"6.1.175"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"6.6.141"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"6.12.91"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"6.18.33"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"7.0.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"7.1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14.13"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/22022cd8851703a58f67615a17bc7e9e8682785b"},{"url":"https://git.kernel.org/stable/c/67adde6bfdfd563a54b045d59aeb9a2d90c80697"},{"url":"https://git.kernel.org/stable/c/608e1f7bc9d171ab26c1fba288c97fc76363c27d"},{"url":"https://git.kernel.org/stable/c/8be69e9245f805566bac68ffc8574b64735fd996"},{"url":"https://git.kernel.org/stable/c/5e185330d902b12fe8e6eb4b8514b5d736d8d66d"},{"url":"https://git.kernel.org/stable/c/e0e6b14995fd6fa2c0df8c712d76ab32f0694c31"},{"url":"https://git.kernel.org/stable/c/ab3f7098a3a27175b91cfc947950f5c26855801b"},{"url":"https://git.kernel.org/stable/c/48a428215782321b56956974f23593e40ce84b7a"}],"title":"efi/capsule-loader: fix incorrect sizeof in phys array reallocation","x_generator":{"engine":"bippy-1.2.0"}}}}