DEBIAN-CVE-2026-23253
In the Linux kernel, the following vulnerability has been resolved: media: dvb-core: fix wrong reinitialization of ringbuffer on reopen dvb_dvr_open() calls dvb_ringbuffer_init() when a new reader opens the DVR device. dvb_ringbuffer_init() calls init_waitqueue_head(), which reinitializes the waitqueue list head to empty. Since dmxdev->dvr_buffer.queue is a shared waitqueue (all opens of the same DVR device share it), this orphans any existing waitqueue entries from io_uring poll or epoll, leaving them with stale prev/next pointers while the list head is reset to {self, self}. The waitqueue and spinlock in dvr_buffer are already properly initialized once in dvb_dmxdev_init(). The open path only needs to reset the buffer data pointer, size, and read/write positions. Replace the dvb_ringbuffer_init() call in dvb_dvr_open() with direct assignment of data/size and a call to dvb_ringbuffer_reset(), which properly resets pread, pwrite, and error with correct memory ordering without touching the waitqueue or spinlock.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:11 | linux-6.1 | 0, 6.1.164-1, 6.1.162-1 |
| Debian:11 | linux | 6.16.10-1, 6.18.2-1~exp1, 6.18.3-1 |
| Debian:14 | linux | 6.17.5-1, 6.17.6-1, 6.17.7-1 |
| Debian:12 | linux | 6.3.5-1~exp1, 6.3.7-1, 6.3.7-1~bpo12+1 |
| Debian:13 | linux | 6.12.41-1, 6.12.43-1, 6.12.43-1 |
Exploit Intelligence
- 4593.2.0.yml (github-poc)
- 4628.1.0.yml (github-poc)
- 2026-05-06_426_linux-signed-amd64.yaml (github-poc)
Timeline
- Mar 18, 2026 CVE Published
- May 2, 2026 CVE Updated