Skip to main content

Linux Kernel CVE-2026-53264

| EUVDEUVD-2026-39215 HIGH
Use After Free (CWE-416)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-vq3g-6qwh-5wj2
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local-only via tc netlink so AV:L; CAP_NET_ADMIN needed so PR:L; success depends on winning a concurrent free/re-reference race so AC:H; UAF yields full memory-corruption impact C:H/I:H/A:H.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:47 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.8
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net/sched: act_api: use RCU with deferred freeing for action lifecycle

When NEWTFILTER and DELFILTER are run concurrently it is possible to create a race with an associated action.

Let's illustrate with CPU0 running NEWTFILTER and CPU1 running DELFILTER:

0: mutex_lock() <-- holds the idr lock 0: rcu_read_lock() 0: p = idr_find(idr, index) <-- action p is valid (RCU protects IDR) 0: mutex_unlock() <-- releases the idr lock 1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held 1: idr_remove(idr, index) <-- Action removed from IDR 1: mutex_unlock() <-- mutex released allowing us to delete the action 1: tcf_action_cleanup(p); kfree(p) <-- Kfrees p immediately, no deferral 0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- ouch, UAF p points to freed memory

This patch fixes the race condition between NEWTFILTER and DELFILTER by adding struct rcu_head to tc_action used in the deferral and introducing a call_rcu() in the delete path to defer the final kfree().

Note: this is a revert of commit d7fb60b9cafb ("net_sched: get rid of tcfa_rcu") but also modernization/simplification to directly use kfree_rcu().

Let's illustrate the new restored code path:

0: rcu_read_lock() 1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held 1: idr_remove(idr, index) 1: mutex_unlock() 1: call_rcu(&p->tcfa_rcu, tcf_action_rcu_free) <-- defer kfree after grace period 0: p = idr_find(idr, index) 0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- fails, refcnt already 0 1: rcu_read_unlock() <-- release so freeing can run after grace period

After CPU1 calls idr_remove(), the object is no longer reachable through the IDR. CPU0's subsequent idr_find() will return NULL, and even if it still held a stale pointer, the immediate kfree() is now deferred until after the RCU grace period, so no UAF can occur.

AnalysisAI

Local privilege-bearing users can trigger a use-after-free in the Linux kernel's net/sched action subsystem (act_api) by racing concurrent NEWTFILTER and DELFILTER operations, where an action object can be kfree()'d immediately on one CPU while another CPU still holds an RCU-protected reference and calls refcount_inc_not_zero() on freed memory. Affecting the tc action lifecycle, exploitation can corrupt kernel memory and lead to local privilege escalation or denial of service (kernel panic). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local access with CAP_NET_ADMIN
Delivery
Spawn concurrent NEWTFILTER/DELFILTER threads
Exploit
Race free of tc action object
Execution
Re-reference freed object via dangling refcount
Persist
Reclaim and corrupt kernel memory
Impact
Escalate privileges or crash kernel

Vulnerability AssessmentAI

Exploitation Exploitation requires local code execution and CAP_NET_ADMIN within the relevant network namespace in order to invoke tc filter operations over netlink; on distributions that permit unprivileged user namespaces this capability is reachable by an otherwise unprivileged local user. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N, C:H/I:H/A:H = 7.8 High) indicates a local attacker with some privileges and high impact, but the description makes clear this is a timing-dependent race between two concurrent operations, which in practice raises attack complexity above the AC:L rating - winning the NEWTFILTER/DELFILTER window is non-deterministic, so AC:H is more realistic (see assessed vector). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user with CAP_NET_ADMIN (potentially obtained through an unprivileged user namespace on permissive distributions) writes a program that rapidly and concurrently issues RTM_NEWTFILTER and RTM_DELFILTER netlink operations referencing the same tc action index across multiple CPUs, racing to free the action while another thread re-references it. On a successful race the freed object is reallocated and manipulated through the dangling refcount, giving the attacker a kernel use-after-free primitive usable for privilege escalation or, more easily, a kernel crash. …
Remediation Vendor-released patch: upgrade to a fixed stable kernel - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or mainline 7.1 - or your distribution's equivalent backport, then reboot (or kpatch/livepatch where available). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Linux systems running affected kernel versions and assess local user account exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53264 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy