Skip to main content

Linux Kernel CVE-2026-53197

| EUVDEUVD-2026-39288 MEDIUM
Improper Locking (CWE-667)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-cwx4-f9x9-pqhh
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

AV:L confirmed; AC:H because exploitation requires a specific SMP race window during state destruction with an active iptfs SA; PR:L for CAP_NET_ADMIN in user-namespace contexts.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 06, 2026 - 12:40 vuln.today
CVSS changed
Jul 06, 2026 - 12:37 NVD
5.5 (MEDIUM)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

xfrm: iptfs: fix ABBA deadlock in iptfs_destroy_state()

iptfs_destroy_state() calls hrtimer_cancel() while holding a spinlock that the timer callback also acquires, leading to an ABBA deadlock on SMP systems.

For the output timer (iptfs_timer):

  • iptfs_destroy_state() holds x->lock, calls hrtimer_cancel()
  • iptfs_delay_timer() callback takes x->lock

For the drop timer (drop_timer):

  • iptfs_destroy_state() holds drop_lock, calls hrtimer_cancel()
  • iptfs_drop_timer() callback takes drop_lock

Both timers use HRTIMER_MODE_REL_SOFT, so their callbacks run in softirq context. When hrtimer_cancel() is called for a soft timer that is currently executing on another CPU, hrtimer_cancel_wait_running() spins on softirq_expiry_lock -- the same lock held by the softirq running the callback. If the callback is blocked waiting for the spinlock held by the caller of hrtimer_cancel(), a circular dependency forms:

CPU 0: holds lock_A -> waits for softirq_expiry_lock CPU 1: holds softirq_expiry_lock -> waits for lock_A

Fix by calling hrtimer_cancel() before acquiring the respective locks. hrtimer_cancel() is safe to call without holding any lock and will wait for any in-progress callback to complete. For the output timer, the lock is still acquired afterwards to drain the packet queue. For the drop timer, the lock/unlock pair is removed entirely since it only existed to serialize with the timer callback, which hrtimer_cancel() already guarantees.

Found by source code audit.

AnalysisAI

ABBA deadlock in the Linux kernel xfrm iptfs subsystem causes availability loss on SMP systems when iptfs state is destroyed while its timer callbacks are concurrently executing on another CPU. The vulnerability affects the IP Traffic Flow Secrecy (IPTFS) implementation within the kernel's xfrm IPsec framework, specifically during iptfs_destroy_state() - a function that acquires spinlocks before calling hrtimer_cancel(), creating a circular dependency with softirq timer callbacks that attempt to re-acquire those same locks. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain local access with CAP_NET_ADMIN
Delivery
Configure iptfs-mode xfrm Security Association
Exploit
Initiate SA destruction on CPU 0
Install
Spinlock acquired, hrtimer_cancel() called
C2
Timer callback fires concurrently on CPU 1
Execute
ABBA circular lock dependency
Impact
Kernel deadlock causes system hang

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: first, the target system must be running a multiprocessor (SMP) kernel - single-CPU systems cannot trigger the race condition. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user with CAP_NET_ADMIN or equivalent privileges (e.g., within a user namespace on systems with unprivileged namespaces enabled) configures an iptfs xfrm Security Association on a multiprocessor system. When the SA is destroyed - for example, upon session teardown or administrative removal - the iptfs_destroy_state() function acquires its spinlock and calls hrtimer_cancel(). …
Remediation The primary fix is to upgrade to a patched Linux kernel version: 6.18.36 or later on the 6.18 stable branch (commit 822b98d354e63e8249e85473c5f3c519f3c9cecc, available at https://git.kernel.org/stable/c/822b98d354e63e8249e85473c5f3c519f3c9cecc), 7.0.13 or later on the 7.0 stable branch (commit c8a8a75b733467b00c08b91a38dbaf207a08ed6e, available at https://git.kernel.org/stable/c/c8a8a75b733467b00c08b91a38dbaf207a08ed6e), or Linux 7.1 mainline (commit a13ca53e47e500854a3b9ec18b5dc83acfec863e, available at https://git.kernel.org/stable/c/a13ca53e47e500854a3b9ec18b5dc83acfec863e). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53197 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy