Skip to main content

Linux Kernel CVE-2026-53259

| EUVDEUVD-2026-39210 HIGH
Use After Free (CWE-416)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-hqjh-c323-5jv8
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local access with low privilege (CAP_NET_ADMIN via user namespace) is needed, and the trigger is a narrow multi-CPU race so AC:H; a kernel UAF yields high C/I/A.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:46 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.8
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ipv6: anycast: insert aca into global hash under idev->lock

syzbot reported a splat [1]: a slab-use-after-free in ipv6_chk_acast_addr(), which walks the global inet6_acaddr_lst[] hash under RCU and dereferences a struct ifacaddr6 that has already been freed while still linked in the hash, so a later reader walks into a dangling node.

In __ipv6_dev_ac_inc() the aca is allocated with refcount 1, then aca_get() bumps it to 2 to keep it alive across the unlocked region. It is published to idev->ac_list under idev->lock, but ipv6_add_acaddr_hash() runs after write_unlock_bh(). A concurrent teardown (ipv6_ac_destroy_dev() from addrconf_ifdown(), under RTNL) can slip into that window:

CPU0 __ipv6_dev_ac_inc CPU1 ipv6_ac_destroy_dev (RTNL) ------------------------------ ------------------------------------ aca_alloc() refcnt 1 aca_get() refcnt 2 write_lock_bh(idev->lock) add aca to ac_list write_unlock_bh(idev->lock) write_lock_bh(idev->lock) pull aca off ac_list write_unlock_bh(idev->lock) ipv6_del_acaddr_hash(aca) hlist_del_init_rcu() is a no-op, aca is not in the hash yet aca_put() refcnt 2->1 ipv6_add_acaddr_hash(aca) aca now inserted into the hash aca_put() refcnt 1->0 call_rcu(aca_free_rcu) -> kfree(aca)

The hash removal becomes a no-op because the insertion has not happened yet, so once CPU0 inserts and drops the last reference, the aca is freed while still linked in inet6_acaddr_lst[], and readers dereference freed memory after the slab slot is reused.

This window opened once RTNL stopped serializing the join path against device teardown. Move ipv6_add_acaddr_hash() inside the idev->lock section so the ac_list and hash insertions are atomic with respect to teardown: a racing remover now either misses the aca entirely or finds it in both lists.

acaddr_hash_lock is now nested under idev->lock, which is acquired in softirq context, so switch all acaddr_hash_lock sites to spin_lock_bh() to avoid the irq lock inversion reported in [2].

[1] https://syzkaller.appspot.com/bug?extid=a01df04303c131efbf3a [2] https://lore.kernel.org/netdev/6a194ef7.ba3b1513.1890b4.0000.GAE@google.com/

AnalysisAI

Memory corruption via a use-after-free in the Linux kernel's IPv6 anycast subsystem allows a local attacker to read freed slab memory and potentially corrupt kernel state. The flaw lives in __ipv6_dev_ac_inc()/ipv6_add_acaddr_hash(), where an ifacaddr6 (aca) object is published into the global inet6_acaddr_lst[] hash outside idev->lock, opening a race with device teardown (ipv6_ac_destroy_dev) that frees the object while it is still linked in the RCU-walked hash. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local low-priv access (e.g. CAP_NET_ADMIN in netns)
Delivery
Repeatedly join/leave IPv6 anycast group
Exploit
Race device teardown to free aca
Execution
UAF leaves freed aca in global hash
Persist
RCU reader dereferences freed slab memory
Impact
Leak kernel memory or corrupt heap for privilege escalation

Vulnerability AssessmentAI

Exploitation Exploitation requires local code execution with the privilege to manipulate IPv6 anycast addresses - practically CAP_NET_ADMIN, obtainable by an unprivileged user via an unprivileged user namespace, or otherwise a low-privileged local account (matching CVSS PR:L, AV:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely consistent and point to a real but not urgent issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local, low-privileged user (for example inside a container with CAP_NET_ADMIN in its own network namespace) repeatedly joins and leaves IPv6 anycast groups while concurrently tearing down the device, racing __ipv6_dev_ac_inc() against ipv6_ac_destroy_dev() to free an ifacaddr6 that is still linked in the global anycast hash. A second thread then walks inet6_acaddr_lst[] via ipv6_chk_acast_addr() to dereference the freed slab object, leaking kernel memory contents or, with heap grooming, corrupting adjacent objects toward privilege escalation. …
Remediation Vendor-released patch: upgrade to Linux 6.18.36, 7.0.13, or 7.1, or later within your maintained branch; distribution users should apply the corresponding distro kernel update that backports stable commits 15be7e9fdbff831fb3e89b83cc337a4f85ad3310, 3a967c498baa976b11d4800dda224c507416e97c, or f723ccaff2fb72b71ae8a9fd283f0dee4d9ae7a3 (see https://git.kernel.org/stable/c/f723ccaff2fb72b71ae8a9fd283f0dee4d9ae7a3 and the sibling commits). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Enumerate Linux systems with IPv6 enabled and document current kernel versions across your environment. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53259 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy