Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Linux Distros Unpatched Vulnerability : CVE-2026-53109

🗓️ 25 Jun 2026 00:00:00Reported by TenableType 
nessus
 nessus🔗 www.tenable.com👁 5 Views

CVE-2026-53109: Unpatched Linux kernel pte fragment handling on powerpc causes bad page state.

Related
Refs
Code
ReporterTitlePublishedViews
Family
CVE		CVE-2026-53109
24 Jun 202616:30
cve
Cvelist		CVE-2026-53109 powerpc/pgtable-frag: Fix bad page state in pte_frag_destroy
24 Jun 202616:30
cvelist
Debian CVE		CVE-2026-53109
24 Jun 202616:30
debiancve
EUVD		EUVD-2026-38977
24 Jun 202616:30
euvd
NVD		CVE-2026-53109
24 Jun 202617:17
nvd
OSV		BELL-CVE-2026-53109
26 Jun 202606:12
osv
OSV		DEBIAN-CVE-2026-53109
24 Jun 202617:17
osv
OSV		ROOT-OS-DEBIAN-13-CVE-2026-53109 CVE-2026-53109 in rootio-linux - Patched by Root
27 Jun 202604:23
osv
OSV		UBUNTU-CVE-2026-53109
24 Jun 202617:17
osv
Positive Technologies		PT-2026-52003
24 Jun 202600:00
ptsecurity
Rows per page
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(322711);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/06/25");

  script_cve_id("CVE-2026-53109");

  script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2026-53109");

  script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
  script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.

  - powerpc/pgtable-frag: Fix bad page state in pte_frag_destroy powerpc uses pt_frag_refcount as a reference
    counter for tracking it's pte and pmd page table fragments. For PTE table, in case of Hash with 64K
    pagesize, we have 16 fragments of 4K size in one 64K page. Patch series [1] mm: free retracted page table
    by RCU added pte_free_defer() to defer the freeing of PTE tables when retract_page_tables() is called for
    madvise MADV_COLLAPSE on shmem range. [1]:
    https://lore.kernel.org/all/[email protected]/ pte_free_defer() sets the
    active flag on the corresponding fragment's folio & calls pte_fragment_free(), which reduces the
    pt_frag_refcount. When pt_frag_refcount reaches 0 (no active fragment using the folio), it checks if the
    folio active flag is set, if set, it calls call_rcu to free the folio, it the active flag is unset then it
    calls pte_free_now(). Now, this can lead to following problem in a corner case... [ 265.351553][ T183]
    BUG: Bad page state in process a.out pfn:20d62 [ 265.353555][ T183] page: refcount:0 mapcount:0
    mapping:0000000000000000 index:0x0 pfn:0x20d62 [ 265.355457][ T183] flags:
    0x3ffff800000100(active|node=0|zone=0|lastcpupid=0x7ffff) [ 265.358719][ T183] raw: 003ffff800000100
    0000000000000000 5deadbeef0000122 0000000000000000 [ 265.360177][ T183] raw: 0000000000000000
    c0000000119caf58 00000000ffffffff 0000000000000000 [ 265.361438][ T183] page dumped because:
    PAGE_FLAGS_CHECK_AT_FREE flag(s) set [ 265.362572][ T183] Modules linked in: [ 265.364622][ T183] CPU: 0
    UID: 0 PID: 183 Comm: a.out Not tainted 6.18.0-rc3-00141-g1ddeaaace7ff-dirty #53 VOLUNTARY [ 265.364785][
    T183] Hardware name: IBM pSeries (emulated by qemu) POWER10 (architected) 0x801200 0xf000006 of:SLOF,git-
    ee03ae pSeries [ 265.364908][ T183] Call Trace: [ 265.364955][ T183] [c000000011e6f7c0] [c000000001cfaa18]
    dump_stack_lvl+0x130/0x148 (unreliable) [ 265.365202][ T183] [c000000011e6f7f0] [c000000000794758]
    bad_page+0xb4/0x1c8 [ 265.365384][ T183] [c000000011e6f890] [c00000000079c020]
    __free_frozen_pages+0x838/0xd08 [ 265.365554][ T183] [c000000011e6f980] [c0000000000a70ac]
    pte_frag_destroy+0x298/0x310 [ 265.365729][ T183] [c000000011e6fa30] [c0000000000aa764]
    arch_exit_mmap+0x34/0x218 [ 265.365912][ T183] [c000000011e6fa80] [c000000000751698] exit_mmap+0xb8/0x820
    [ 265.366080][ T183] [c000000011e6fc30] [c0000000001b1258] __mmput+0x98/0x300 [ 265.366244][ T183]
    [c000000011e6fc80] [c0000000001c81f8] do_exit+0x470/0x1508 [ 265.366421][ T183] [c000000011e6fd70]
    [c0000000001c95e4] do_group_exit+0x88/0x148 [ 265.366602][ T183] [c000000011e6fdc0] [c0000000001c96ec]
    pid_child_should_wake+0x0/0x178 [ 265.366780][ T183] [c000000011e6fdf0] [c00000000003a270]
    system_call_exception+0x1b0/0x4e0 [ 265.366958][ T183] [c000000011e6fe50] [c00000000000d05c]
    system_call_vectored_common+0x15c/0x2ec The bad page state error occurs when such a folio gets freed (with
    active flag set), from do_exit() path in parallel. ... this can happen when the pte fragment was allocated
    from this folio, but when all the fragments get freed, the pte_frag_refcount still had some unused
    fragments. Now, if this process exits, with such folio as it's cached pte_frag in mm->context, then during
    pte_frag_destroy(), we simply call pagetable_dtor() and pagetable_free(), meaning it doesn't clear the
    active flag. This, can lead to the above bug. Since we are anyway in do_exit() path, then if the refcount
    is 0, then I guess it should be ok to simply clear the folio active flag before calling pagetable_dtor() &
    pagetable_free(). (CVE-2026-53109)

Note that Nessus relies on the presence of the package as reported by the vendor.");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2026-53109");
  script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:U/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:U/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-53109");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/06/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/06/25");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:13.0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl", "set_linux_os_id.nasl");
  script_require_keys("Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched", "Host/OS/identifier");
  script_require_ports("Host/OS/Debian Linux-13");

  exit(0);
}

if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_one_kb_item("Host/Debian/dpkg-l"))) audit(AUDIT_PACKAGE_LIST_MISSING);

include('linux_unpatched.inc');

var distro_constraints_array = {
  "Debian Linux-13": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "13",
        "pkgs": [
          {"reference": "bpftool"},
          {"reference": "hyperv-daemons"},
          {"reference": "intel-sdsi"},
          {"reference": "libcpupower-dev"},
          {"reference": "libcpupower1"},
          {"reference": "linux-bpf-dev"},
          {"reference": "linux-config-6.12"},
          {"reference": "linux-cpupower"},
          {"reference": "linux-doc"},
          {"reference": "linux-doc-6.12"},
          {"reference": "linux-headers-4kc-malta"},
          {"reference": "linux-headers-5kc-malta"},
          {"reference": "linux-headers-6.12.86+deb13-4kc-malta"},
          {"reference": "linux-headers-6.12.86+deb13-5kc-malta"},
          {"reference": "linux-headers-6.12.86+deb13-alpha-generic"},
          {"reference": "linux-headers-6.12.86+deb13-alpha-smp"},
          {"reference": "linux-headers-6.12.86+deb13-amd64"},
          {"reference": "linux-headers-6.12.86+deb13-arm64"},
          {"reference": "linux-headers-6.12.86+deb13-arm64-16k"},
          {"reference": "linux-headers-6.12.86+deb13-armmp"},
          {"reference": "linux-headers-6.12.86+deb13-armmp-lpae"},
          {"reference": "linux-headers-6.12.86+deb13-cloud-amd64"},
          {"reference": "linux-headers-6.12.86+deb13-cloud-arm64"},
          {"reference": "linux-headers-6.12.86+deb13-common"},
          {"reference": "linux-headers-6.12.86+deb13-common-rt"},
          {"reference": "linux-headers-6.12.86+deb13-loong64"},
          {"reference": "linux-headers-6.12.86+deb13-loongson-3"},
          {"reference": "linux-headers-6.12.86+deb13-m68k"},
          {"reference": "linux-headers-6.12.86+deb13-mips32r2eb"},
          {"reference": "linux-headers-6.12.86+deb13-mips32r2el"},
          {"reference": "linux-headers-6.12.86+deb13-mips64r2eb"},
          {"reference": "linux-headers-6.12.86+deb13-mips64r2el"}
        ]
      }
    ]
  }
};

var distro_constraints_values = linux_unpatched::get_distro_constraints(distro_constraints_arr:distro_constraints_array);
if (empty_or_null(distro_constraints_values)) audit(AUDIT_HOST_NOT, 'affected');
var report = linux_unpatched::check_unpatched_constraints(distro_constraints_values:distro_constraints_values);

if (!empty_or_null(report))
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : report
  );
  exit(0);
}
else
{
  audit(AUDIT_HOST_NOT, 'affected');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Jun 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9
EPSS0.00161
linux kernelpowerpcpte fragmentpage stateretract page tablesmadvise collapse
5