Skip to main content

Linux Kernel CVE-2026-53262

| EUVDEUVD-2026-39213 HIGH
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-5xjr-h8mp-chfc
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local low-priv user (AV:L/PR:L), but winning a kernel race plus a userfaultfd sleep primitive makes it high-complexity (AC:H); UAF yields full kernel memory-corruption impact (C/I/A:H).

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:47 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.8
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

l2tp: pppol2tp: hold reference to session in pppol2tp_ioctl()

pppol2tp_ioctl() read sock->sk->sk_user_data directly without any locks or reference counting. If a controllable sleep was induced during copy_from_user() (e.g. via a userfaultfd page fault sleep), a concurrent socket close could trigger pppol2tp_session_close() asynchronously. This frees the l2tp_session structure via the l2tp_session_del_work workqueue. Upon resuming, the ioctl thread dereferences the stale session pointer, resulting in a Use-After-Free (UAF).

Fix this by securely fetching the session reference using the RCU-safe, refcounted helper pppol2tp_sock_to_session(sk) on entry. This locks the session's refcount across the sleep. We structured the function to exit via standard err breaks, guaranteeing that l2tp_session_put() is cleanly called on all return paths to drop the reference.

To preserve existing behavior we validate the session and its magic signature only for the specific L2TP commands that require it. This ensures that generic/unknown ioctls called on an unconnected socket still return -ENOIOCTLCMD and correctly fall back to generic handlers (e.g. in sock_do_ioctl()).

AnalysisAI

Local privilege escalation via use-after-free in the Linux kernel's L2TP PPP (pppol2tp) subsystem allows a low-privileged local user holding a pppol2tp socket to corrupt freed kernel memory. The flaw is a race in pppol2tp_ioctl(), where sk_user_data was dereferenced without reference counting; an attacker stalls the ioctl mid-copy (e.g. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Local unprivileged shell access
Delivery
Open PPPoL2TP socket
Exploit
Issue ioctl with userfaultfd-backed buffer
Install
Stall in copy_from_user, close socket to free session
C2
Resume ioctl, dereference dangling pointer (UAF)
Execute
Groom freed kernel memory
Impact
Escalate privileges to root

Vulnerability AssessmentAI

Exploitation Requires local code execution as an unprivileged user (PR:L) who can open a PPPoL2TP (AF_PPPOX / PX_PROTO_OL2TP) socket, meaning the l2tp_ppp module must be loaded or autoloadable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, score 7.8) reflects a high-impact local flaw, and the impact triad is consistent with a kernel UAF that can yield memory corruption and likely privilege escalation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged local user opens a PPPoL2TP socket and invokes an ioctl whose argument buffer is backed by a userfaultfd-registered page, stalling the kernel inside copy_from_user(). From a second thread they close the socket, triggering asynchronous free of the l2tp_session; when the ioctl resumes it dereferences the freed object, giving a use-after-free that can be groomed toward kernel memory corruption and privilege escalation. …
Remediation Apply the vendor-released patch by upgrading to a fixed stable kernel - 6.12.94, 6.18.36, 7.0.13, or 7.1 or later - or install your distribution's backported kernel update referencing CVE-2026-53262; the upstream fix is in commits at https://git.kernel.org/stable/c/62f327e287cf7b595ae3f73ba72f5cd2a9e9f39f and the related stable commits. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Query infrastructure to identify Linux systems with L2TP (pppol2tp kernel module) active, particularly those supporting untrusted or shared local user access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53262 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy