chuzhongyun/CVE-2026-53359-Kernel-Fix
GitHub: chuzhongyun/CVE-2026-53359-Kernel-Fix
一份通过源码编译方式将 Linux 内核升级至 7.1.3 以修复 KVM x86 UAF 漏洞(CVE-2026-53359)的详细操作指南。
Stars: 2 | Forks: 1
[中文](#中文) | [English](#english)
## 中文
# Linux Kernel 7.1.3 升级修复 CVE-2026-53359 教程
### 1. 简介
本文档记录在 CentOS Stream 8 环境下,通过源码方式升级 Linux Kernel 至 7.1.3,用于修复 **CVE-2026-53359**。
| 项目 | 说明 |
|------|------|
| **CVE 编号** | CVE-2026-53359 |
| **漏洞组件** | Linux Kernel KVM x86 Shadow MMU |
| **漏洞类型** | Use After Free (UAF) |
| **修复方式** | 升级 Linux Kernel 至包含修复代码的 stable 版本 |
**漏洞影响:**
KVM x86 Shadow Paging 场景中,异常情况下可能出现释放后的页面仍被 rmap 条目引用,引发内存安全问题。
### 2. 环境信息
| 项目 | 信息 |
|------|------|
| 系统 | CentOS Stream 8 |
| 升级前内核 | 6.18.8-1.el8.elrepo.x86_64 |
| 升级后内核 | 7.1.3 |
| 架构 | x86_64 |
| 虚拟化 | KVM Intel |
**查看当前环境:**
cat /etc/os-release
uname -r
### 3. 选择源码编译原因
由于本人服务器环境中:
- ELRepo Kernel RPM 仓库无法稳定拉取;
- 未找到适合当前环境的 RPM 更新包;
- 需要直接使用 Linux Kernel 官方 stable 修复版本;
**因此采用:**
kernel.org 官方 stable 源码编译方式升级内核。
**说明:**
该方案仅为本人服务器环境下的解决方法,不代表所有环境必须使用源码编译。
### 4. 下载源码
**官方下载:**
https://cdn.kernel.org/pub/linux/kernel/v7.x/linux-7.1.3.tar.xz
**下载命令:**
wget https://cdn.kernel.org/pub/linux/kernel/v7.x/linux-7.1.3.tar.xz
**上传位置(离线环境):**
/root/linux-7.1.3.tar.xz
### 5. 安装编译依赖
dnf groupinstall "Development Tools" -y
dnf install -y \
ncurses-devel \
elfutils-libelf-devel \
openssl-devel \
bc \
bison \
flex \
perl \
dwarves
### 6. 解压源码
mkdir -p /usr/src
cd /usr/src
tar -xf /root/linux-7.1.3.tar.xz
cd linux-7.1.3
ls Makefile # 应显示: Makefile
### 7. 使用现有配置
# 复制当前配置
cp /boot/config-$(uname -r) .config
# 生成新配置
make olddefconfig
# 检查 KVM 配置
grep -E "CONFIG_KVM|CONFIG_KVM_INTEL" .config
**预期输出:**
CONFIG_KVM=m
CONFIG_KVM_X86=m
CONFIG_KVM_INTEL=m
### 8. 编译内核
# 查看 CPU 线程数
nproc
# 编译(使用所有核心)
make -j$(nproc)
# 验证内核镜像
ls -lh arch/x86/boot/bzImage
### 9. 安装内核模块
# 安装模块
make modules_install
# 验证安装
ls /lib/modules/
# 检查 KVM 模块
find /lib/modules/7.1.3 -name "kvm*.ko*"
**预期输出:**
kvm.ko
kvm-intel.ko
kvm-amd.ko
### 10. 安装内核镜像
# 安装内核
make install
# 验证安装
ls -lh /boot | grep 7.1.3
**预期输出:**
vmlinuz-7.1.3
initramfs-7.1.3.img
System.map-7.1.3
### 11. 更新启动项
# 生成 GRUB 配置
grub2-mkconfig -o /boot/grub2/grub.cfg
# 设置默认内核
grubby --set-default /boot/vmlinuz-7.1.3
# 验证默认内核
grubby --default-kernel
**预期输出:**
/boot/vmlinuz-7.1.3
### 12. 重启
reboot
### 13. 验证
**查看内核版本:**
uname -r
# 预期: 7.1.3
**查看 KVM 模块:**
lsmod | grep kvm
# 预期: kvm_intel, kvm, irqbypass
**验证 KVM 模块位置:**
modinfo kvm_intel | grep filename
# 预期: /lib/modules/7.1.3/kernel/arch/x86/kvm/kvm-intel.ko
### 14. 回滚
**列出可用内核:**
grubby --info=ALL | grep kernel
**如果新内核有问题,设置旧内核:**
grubby --set-default /boot/vmlinuz-6.18.8-1.el8.elrepo.x86_64
reboot
### 15. 最终结果
| 项目 | 升级前 | 升级后 |
|------|--------|--------|
| 内核版本 | 6.18.8-1.el8.elrepo.x86_64 | 7.1.3 |
| KVM 状态 | N/A | 已启用 |
| CVE-2026-53359 | 受影响 | 已修复 |
## English
# Linux Kernel 7.1.3 Upgrade Guide for CVE-2026-53359 Fix
### 1. Introduction
This repository documents the manual Linux Kernel upgrade process for fixing **CVE-2026-53359**.
| Item | Description |
|------|-------------|
| **CVE ID** | CVE-2026-53359 |
| **Affected Component** | Linux Kernel KVM x86 Shadow MMU |
| **Vulnerability Type** | Use After Free (UAF) |
| **Fix Method** | Upgrade Linux Kernel to 7.1.3 from kernel.org stable source |
The vulnerability is related to KVM x86 shadow paging. Under specific conditions, freed pages may still be referenced by rmap entries, causing a potential memory safety issue.
### 2. Environment
| Item | Value |
|------|-------|
| OS | CentOS Stream 8 |
| Old Kernel | 6.18.8-1.el8.elrepo.x86_64 |
| New Kernel | 7.1.3 |
| Architecture | x86_64 |
| Virtualization | KVM Intel |
| Compiler | GCC 8.5 |
**Check current environment:**
cat /etc/os-release
uname -r
### 3. Why Build From Source
In my environment:
- ELRepo Kernel RPM repository could not be accessed reliably.
- I did not find another suitable RPM update method.
- I needed to deploy the official Linux Kernel stable release.
**Therefore:**
I used the official kernel.org stable source code and built Kernel 7.1.3 manually.
**Note:**
This is my own environment solution, not a mandatory upgrade method for all systems.
### 4. Download Kernel Source
**Official source:**
https://cdn.kernel.org/pub/linux/kernel/v7.x/linux-7.1.3.tar.xz
**Download:**
wget https://cdn.kernel.org/pub/linux/kernel/v7.x/linux-7.1.3.tar.xz
**Upload location (if offline):**
/root/linux-7.1.3.tar.xz
### 5. Install Build Dependencies
dnf groupinstall "Development Tools" -y
dnf install -y \
ncurses-devel \
elfutils-libelf-devel \
openssl-devel \
bc \
bison \
flex \
perl \
dwarves \
tar \
xz
**Verify compiler:**
gcc --version
### 6. Extract Source Code
mkdir -p /usr/src
cd /usr/src
tar -xf /root/linux-7.1.3.tar.xz
cd linux-7.1.3
ls Makefile # Should show: Makefile
### 7. Import Existing Kernel Configuration
# Copy current kernel configuration
cp /boot/config-$(uname -r) .config
# Generate new configuration
make olddefconfig
# Verify KVM configuration
grep -E "CONFIG_KVM|CONFIG_KVM_INTEL" .config
**Expected output:**
CONFIG_KVM=m
CONFIG_KVM_X86=m
CONFIG_KVM_INTEL=m
### 8. Compile Kernel
# Check CPU threads
nproc
# Compile (use all available cores)
make -j$(nproc)
# Verify kernel image
ls -lh arch/x86/boot/bzImage
### 9. Install Kernel Modules
# Install modules
make modules_install
# Verify installation
ls /lib/modules/
# Check KVM modules
find /lib/modules/7.1.3 -name "kvm*.ko*"
**Expected output:**
kvm.ko
kvm-intel.ko
kvm-amd.ko
### 10. Install Kernel Image
# Install kernel
make install
# Verify installation
ls -lh /boot | grep 7.1.3
**Expected output:**
vmlinuz-7.1.3
initramfs-7.1.3.img
System.map-7.1.3
### 11. Configure GRUB Bootloader
# Generate GRUB configuration
grub2-mkconfig -o /boot/grub2/grub.cfg
# Set default kernel
grubby --set-default /boot/vmlinuz-7.1.3
# Verify default kernel
grubby --default-kernel
**Expected output:**
/boot/vmlinuz-7.1.3
### 12. Reboot
reboot
### 13. Verification After Reboot
**Check kernel version:**
uname -r
# Expected: 7.1.3
**Check KVM modules:**
lsmod | grep kvm
# Expected: kvm_intel, kvm, irqbypass
**Verify KVM module location:**
modinfo kvm_intel | grep filename
# Expected: /lib/modules/7.1.3/kernel/arch/x86/kvm/kvm-intel.ko
### 14. Rollback Procedure
**List available kernels:**
grubby --info=ALL | grep kernel
**If the new kernel has issues, set old kernel:**
grubby --set-default /boot/vmlinuz-6.18.8-1.el8.elrepo.x86_64
reboot
### 15. Final Result
| Item | Before | After |
|------|--------|-------|
| Kernel Version | 6.18.8-1.el8.elrepo.x86_64 | 7.1.3 |
| KVM Status | N/A | Enabled |
| CVE-2026-53359 | Vulnerable | Remediated |
## License
MIT
标签:内核升级, 安全渗透, 漏洞修复, 系统运维, 编译指南, 网络安全培训