Skip to main content

Linux Kernel CVE-2026-53157

| EUVDEUVD-2026-39248 HIGH
Use After Free (CWE-416)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-w8w6-f4mm-hw75
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.4 MEDIUM

Local-only bug needing net-admin device teardown (PR:H) and a won RCU race window (AC:H); slab UAF can yield full C/I/A kernel impact.

3.1 AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 07, 2026 - 19:08 vuln.today
CVSS changed
Jul 07, 2026 - 19:07 NVD
7.8 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 nvd
HIGH 7.8
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net: phonet: free phonet_device after RCU grace period

phonet_device_destroy() removes a phonet_device from the per-net device list with list_del_rcu(), but frees it immediately. RCU readers walking the same list can still hold a pointer to the object after it has been removed, leading to a slab-use-after-free.

Use kfree_rcu(), matching the lifetime rule already used by phonet_address_del() for the same object type.

AnalysisAI

Slab use-after-free in the Linux kernel's Phonet subsystem (net/phonet) allows a local privileged actor to trigger memory corruption when a phonet_device is torn down. phonet_device_destroy() unlinks the object from the per-net device list with list_del_rcu() but frees it immediately, so concurrent RCU readers can still dereference the freed object; the fix converts the free to kfree_rcu(). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local shell with net-admin capability
Delivery
Load/use Phonet device interface
Exploit
Race device teardown against RCU list walk
Execution
Trigger use-after-free on freed phonet_device
Persist
Reallocate freed slab object with controlled data
Impact
Corrupt kernel memory for DoS or privilege escalation

Vulnerability AssessmentAI

Exploitation Requires local access to a Linux system where the Phonet subsystem is compiled and loaded (CONFIG_PHONET enabled, phonet module present), plus the privilege to trigger phonet_device_destroy() - i.e. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are consistent and point to a genuine-but-not-urgent memory-safety bug rather than a mass-exploitation threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker with the ability to create and destroy Phonet devices repeatedly races device teardown (phonet_device_destroy) against another thread walking the per-net phonet device list under RCU, causing a reader to dereference a phonet_device that was freed before the grace period elapsed. By grooming the kernel slab to reallocate the freed object with attacker-controlled data, this use-after-free can be steered toward information disclosure, denial of service (kernel panic), or potentially privilege escalation. …
Remediation Vendor-released patch: update to a fixed stable kernel - 6.18.36, 7.0.13, or 7.1 (or later) - which replaces the immediate free in phonet_device_destroy() with kfree_rcu() so the phonet_device is released only after an RCU grace period; the fix commits are 71de0177b28da751f407581a4515cf4d762f6296, 52b8f5ef82c886f7cd24617915e4b1579ddfd001 and bff309ea51f1395c1ef8be8b75ce62d28a319113 at git.kernel.org. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running vulnerable Linux kernel versions via automated scanning tools or manual enumeration (uname -r). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53157 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy