CVE-2026-52965
In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure When ttm_tt_swapout() fails, the current code calls ttm_resource_add_bulk_move() followed by ttm_resource_move_to_lru_tail() to restore the resource's bulk_move membership. However, ttm_resource_move_to_lru_tail() places the resource at the tail of the LRU list which, relative to the walk cursor's hitch node (placed immediately after the resource when it was yielded), puts the resource *in front of the* the hitch. The next list_for_each_entry_continue() from the hitch finds the same resource again, causing an infinite loop. Fix by deferring del_bulk_move to the success path only. On the success path, TTM_TT_FLAG_SWAPPED has just been set by ttm_tt_swapout() but the resource is still tracked in the bulk_move range, so ttm_resource_del_bulk_move()'s !ttm_resource_unevictable() guard would incorrectly skip the removal. Introduce ttm_resource_del_bulk_move_unevictable() which bypasses that guard.
Affected versions
Linux kernel versions
6.13
and later are affected. Fixed in
7.0.10,
7.1
and their respective stable series.
References
2 totalFrequently asked questions
-
What is CVE-2026-52965?
CVE-2026-52965 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 6.13 onward and has been patched in 7.0.10 and 7.1. CVE-2026-52965 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
-
Is there a patch available for CVE-2026-52965?
Yes — CVE-2026-52965 has been patched. Fixed versions include 7.0.10 and 7.1. If you are running Linux kernel 6.13 or later up to the fix versions, apply the relevant patch for your kernel branch.
-
Is CVE-2026-52965 actively exploited?
No — CVE-2026-52965 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.