GHSA-xq85-jg4p-xf7w · Severity: unknown — In the Linux kernel, the following vulnerability has been resolved: ublk: reset per-IO canceled...
In the Linux kernel, the following vulnerability has been resolved: ublk: reset per-IO canceled flag on each fetch If a ublk server starts recovering devices but dies before issuing fetch commands for all IOs, cancellation of the fetch commands that were successfully issued may never complete. This is because the per-IO canceled flag can remain set even after the fetch for that IO has been submitted - the per-IO canceled flags for all IOs in a queue are reset together only once all IOs for that queue have been fetched. So if a nonempty proper subset of the IOs for a queue are fetched when the ublk server dies, the IOs in that subset will never successfully be canceled, as their canceled flags remain set, and this prevents ublk_cancel_cmd from actually calling io_uring_cmd_done on the commands, despite the fact that they are outstanding. Fix this by resetting the per-IO cancel flags immediately when each IO is fetched instead of waiting for all IOs for the queue (which may never happen).
Conclusion & alert: CVE-2026-53124 is rated Low Risk (4.1/100): low exploitation likelihood (EPSS 0.14%). Mandatory action: Low composite risk—no urgent action required; patch on your normal maintenance cycle and revisit priority if CVSS or EPSS increases.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-25 | — | 0.14% | — |
Full EPSS history (1 record total)
CVSS metrics for this CVE.
No CVSS data in dataset for this CVE.
GHSA-xq85-jg4p-xf7w · Severity: unknown — In the Linux kernel, the following vulnerability has been resolved: ublk: reset per-IO canceled...
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
unimportant | CVE-2026-53124 unimportant priority: Debian including 1 source packages (linux), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2026-53124 |
redhat
|
low | — | https://access.redhat.com/security/cve/CVE-2026-53124 |
suse
|
medium | CVE-2026-53124 severity moderate: SUSE including 21 source package names (cluster-md-kmp-default, dlm-kmp-default, …), 199 product×package rows across 40 product lines (SUSE Linux Enterprise High Availability Extension 15 SP7, SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS, … (40 product lines)): Known Not Affected 199. | https://www.suse.com/security/cve/CVE-2026-53124/ |
ubuntu
|
low | CVE-2026-53124 low priority: Ubuntu including 160 source packages (linux, linux-allwinner-5.19, …), 1440 status rows across 9 suites (bionic, focal, jammy, noble, questing, resolute, trusty, upstream, xenial): DNE 1038, ignored 172, not-affected 111, released 86, needed 30, needs-triage 2, pending 1. | https://ubuntu.com/security/CVE-2026-53124 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| linux | linux_kernel | >= 6.15, < 7.0.10 | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| linux | linux_kernel | >= 6.15, < 7.1 | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| linux | linux_kernel | >= 6.14.6 | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |