Skip to main content

Linux Kernel CVE-2026-53175

| EUVDEUVD-2026-39266 CRITICAL
Use After Free (CWE-416)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-j4jv-fp59-574f
9.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Trigger is a local teardown-vs-reassembly race needing namespace control, so AV:L/AC:H/PR:L; a kernel slab UAF can corrupt memory, giving C:H/I:H/A:H.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:21 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
9.8 (CRITICAL)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush

On netns teardown, fqdir_pre_exit() walks the fqdir rhashtable and flushes every fragment queue that is not yet complete using inet_frag_queue_flush(). That helper frees all the skbs queued on the fragment queue but does not set INET_FRAG_COMPLETE, and leaves q->fragments_tail and q->last_run_head pointing at the freed skbs. The queue itself stays in the rhashtable.

fqdir_pre_exit() first lowers high_thresh to 0 to stop new queue lookups, but it cannot stop a fragment that already obtained the queue through inet_frag_find() earlier and stalled just before taking the queue lock. Once that fragment resumes after the flush and takes the queue lock, it passes the INET_FRAG_COMPLETE check and then dereferences the freed fragments_tail. inet_frag_queue_insert() reads FRAG_CB() and ->len of that pointer and, on the append path, writes ->next_frag, causing a slab use-after-free. IPv6, nf_conntrack_reasm6 and 6lowpan reassembly share the same flush path and are affected as well.

Reset rb_fragments, fragments_tail and last_run_head in inet_frag_queue_flush() so a flushed queue no longer points at the freed skbs. A fragment that resumes after the flush and takes the queue lock then finds an empty queue and starts a new run instead of dereferencing the freed fragments_tail. ip_frag_reinit() already performed this reset after its own flush, so drop the now duplicate code there.

AnalysisAI

Slab use-after-free in the Linux kernel's IP fragment reassembly (inet frags) layer occurs during network namespace teardown: fqdir_pre_exit() flushes incomplete fragment queues via inet_frag_queue_flush() without clearing q->fragments_tail/last_run_head, so a fragment reassembly already in flight resumes after the flush and dereferences freed skbs. IPv4, IPv6, nf_conntrack_reasm6, and 6lowpan reassembly all share the affected flush path. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Create/control network namespace
Delivery
Drive fragmented IP traffic to start reassembly
Exploit
Trigger netns teardown during in-flight reassembly
Execution
Win race past INET_FRAG_COMPLETE check
Persist
Dereference freed fragments_tail (slab UAF)
Impact
Kernel memory corruption or crash

Vulnerability AssessmentAI

Exploitation Exploitation requires a race between network-namespace teardown (fqdir_pre_exit() flushing incomplete fragment queues) and an in-flight IP-fragment reassembly that has already obtained the queue via inet_frag_find() but stalled just before acquiring the queue lock - both must occur concurrently against the same fqdir. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals conflict sharply and should be reconciled before prioritization. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a multi-tenant container host, a local unprivileged user creates a network namespace, drives fragmented IP traffic into it so that reassembly is in progress, then triggers teardown of that namespace to race fqdir_pre_exit()'s flush against an in-flight reassembly that has already fetched the queue but not yet taken the lock. Winning the race causes inet_frag_queue_insert() to dereference and write through freed skb memory, yielding a slab use-after-free that can crash the kernel (DoS) and, with skillful heap grooming, potentially escalate to memory corruption. …
Remediation Apply the vendor-released stable patch for your branch: upgrade to Linux 6.12.94 or later on the 6.12 series, 6.18.36 or later on the 6.18 series, 7.0.13 or later on the 7.0 series, or 7.1 on the development line, per the EUVD fixed-version data. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Linux systems and current kernel versions across your infrastructure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53175 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy