Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
AV:L confirmed; AC:H because exploitation requires a specific SMP race window during state destruction with an active iptfs SA; PR:L for CAP_NET_ADMIN in user-namespace contexts.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
xfrm: iptfs: fix ABBA deadlock in iptfs_destroy_state()
iptfs_destroy_state() calls hrtimer_cancel() while holding a spinlock that the timer callback also acquires, leading to an ABBA deadlock on SMP systems.
For the output timer (iptfs_timer):
- iptfs_destroy_state() holds x->lock, calls hrtimer_cancel()
- iptfs_delay_timer() callback takes x->lock
For the drop timer (drop_timer):
- iptfs_destroy_state() holds drop_lock, calls hrtimer_cancel()
- iptfs_drop_timer() callback takes drop_lock
Both timers use HRTIMER_MODE_REL_SOFT, so their callbacks run in softirq context. When hrtimer_cancel() is called for a soft timer that is currently executing on another CPU, hrtimer_cancel_wait_running() spins on softirq_expiry_lock -- the same lock held by the softirq running the callback. If the callback is blocked waiting for the spinlock held by the caller of hrtimer_cancel(), a circular dependency forms:
CPU 0: holds lock_A -> waits for softirq_expiry_lock CPU 1: holds softirq_expiry_lock -> waits for lock_A
Fix by calling hrtimer_cancel() before acquiring the respective locks. hrtimer_cancel() is safe to call without holding any lock and will wait for any in-progress callback to complete. For the output timer, the lock is still acquired afterwards to drain the packet queue. For the drop timer, the lock/unlock pair is removed entirely since it only existed to serialize with the timer callback, which hrtimer_cancel() already guarantees.
Found by source code audit.
AnalysisAI
ABBA deadlock in the Linux kernel xfrm iptfs subsystem causes availability loss on SMP systems when iptfs state is destroyed while its timer callbacks are concurrently executing on another CPU. The vulnerability affects the IP Traffic Flow Secrecy (IPTFS) implementation within the kernel's xfrm IPsec framework, specifically during iptfs_destroy_state() - a function that acquires spinlocks before calling hrtimer_cancel(), creating a circular dependency with softirq timer callbacks that attempt to re-acquire those same locks. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions: first, the target system must be running a multiprocessor (SMP) kernel - single-CPU systems cannot trigger the race condition. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user with CAP_NET_ADMIN or equivalent privileges (e.g., within a user namespace on systems with unprivileged namespaces enabled) configures an iptfs xfrm Security Association on a multiprocessor system. When the SA is destroyed - for example, upon session teardown or administrative removal - the iptfs_destroy_state() function acquires its spinlock and calls hrtimer_cancel(). … |
| Remediation | The primary fix is to upgrade to a patched Linux kernel version: 6.18.36 or later on the 6.18 stable branch (commit 822b98d354e63e8249e85473c5f3c519f3c9cecc, available at https://git.kernel.org/stable/c/822b98d354e63e8249e85473c5f3c519f3c9cecc), 7.0.13 or later on the 7.0 stable branch (commit c8a8a75b733467b00c08b91a38dbaf207a08ed6e, available at https://git.kernel.org/stable/c/c8a8a75b733467b00c08b91a38dbaf207a08ed6e), or Linux 7.1 mainline (commit a13ca53e47e500854a3b9ec18b5dc83acfec863e, available at https://git.kernel.org/stable/c/a13ca53e47e500854a3b9ec18b5dc83acfec863e). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-667 – Improper Locking
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39288
GHSA-cwx4-f9x9-pqhh