Skip to main content

Linux Kernel CVE-2026-53240

| EUVDEUVD-2026-39191 HIGH
Use After Free (CWE-416)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-5m64-3x43-vxjx
8.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.1 HIGH

Network-delivered IP-TFS packets but exploitation hinges on winning a kernel race (AC:H) over a configured SA (PR:L); UAF most reliably yields corruption/crash (I/A:H) with limited leak (C:L).

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:42 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
8.8 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

xfrm: iptfs: fix use-after-free on first_skb in __input_process_payload

__input_process_payload() stores first_skb into xtfs->ra_newskb under drop_lock when starting partial reassembly, then unlocks and breaks out of the processing loop. The post-loop check reads xtfs->ra_newskb without the lock to decide whether first_skb is still owned:

if (first_skb && first_iplen && !defer && first_skb != xtfs->ra_newskb)

Between spin_unlock and this read, a concurrent CPU running iptfs_reassem_cont() (or the drop_timer hrtimer) can complete reassembly, NULL xtfs->ra_newskb, and free the skb. The check then evaluates first_skb != NULL as true, and pskb_trim/ip_summed/consume_skb operate on the freed skb - a use-after-free in skbuff_head_cache.

Replace the unlocked read with a local bool that records whether first_skb was handed to the reassembly state in the current call. The flag is set after the existing spin_unlock, before the break, using the pointer equality that is stable at that point (first_skb == skb iff first_skb was stored in ra_newskb).

AnalysisAI

Use-after-free in the Linux kernel's XFRM IP-TFS (IPsec Traffic Flow Confidentiality, RFC 9347) inbound reassembly path lets a race between __input_process_payload() and a concurrent iptfs_reassem_cont()/drop_timer handler operate on a freed sk_buff in skbuff_head_cache, causing memory corruption. The flaw affects kernels from 6.14 (where IP-TFS was introduced) running an IPsec SA in IP-TFS mode, and is fixed in stable releases including 6.18.36, 7.0.13 and 7.1. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Establish or inject into IP-TFS IPsec SA
Delivery
Send timed fragmented IP-TFS payloads
Exploit
Trigger partial reassembly storing first_skb
Execution
Race concurrent reassembly to free skb
Persist
UAF on freed skbuff during trim/consume
Impact
Kernel memory corruption or crash (DoS)

Vulnerability AssessmentAI

Exploitation Requires the target to be running an IPsec SA in XFRM IP-TFS / AGGFRAG mode (RFC 9347) on a kernel 6.14 or later - this is a non-default, niche configuration and is the hard prerequisite. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and lean toward lower real-world priority than the 8.8 base score suggests. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who is a peer (or can inject into) an established IPsec SA running in IP-TFS mode sends a carefully timed stream of fragmented/aggregated IP-TFS payloads that force partial reassembly on one CPU while concurrent reassembly completion or the drop timer fires on another, freeing the first_skb mid-processing. Winning this race most reliably crashes the kernel (denial of service); with precise heap grooming a UAF in skbuff_head_cache could in principle be steered toward memory corruption. …
Remediation Vendor-released patch: update to a fixed stable kernel - 6.18.36, 7.0.13, or 7.1 (or your distribution's backport carrying commits 8d9a79fbf517, eb48730bb827, or ff2ee35b6ce5). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify Linux systems in your infrastructure running kernel 6.14+ with IPsec IP-TFS enabled (typically VPN services or network encryption points). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53240 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy