Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local-only via tc netlink so AV:L; CAP_NET_ADMIN needed so PR:L; success depends on winning a concurrent free/re-reference race so AC:H; UAF yields full memory-corruption impact C:H/I:H/A:H.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
net/sched: act_api: use RCU with deferred freeing for action lifecycle
When NEWTFILTER and DELFILTER are run concurrently it is possible to create a race with an associated action.
Let's illustrate with CPU0 running NEWTFILTER and CPU1 running DELFILTER:
0: mutex_lock() <-- holds the idr lock 0: rcu_read_lock() 0: p = idr_find(idr, index) <-- action p is valid (RCU protects IDR) 0: mutex_unlock() <-- releases the idr lock 1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held 1: idr_remove(idr, index) <-- Action removed from IDR 1: mutex_unlock() <-- mutex released allowing us to delete the action 1: tcf_action_cleanup(p); kfree(p) <-- Kfrees p immediately, no deferral 0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- ouch, UAF p points to freed memory
This patch fixes the race condition between NEWTFILTER and DELFILTER by adding struct rcu_head to tc_action used in the deferral and introducing a call_rcu() in the delete path to defer the final kfree().
Note: this is a revert of commit d7fb60b9cafb ("net_sched: get rid of tcfa_rcu") but also modernization/simplification to directly use kfree_rcu().
Let's illustrate the new restored code path:
0: rcu_read_lock() 1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held 1: idr_remove(idr, index) 1: mutex_unlock() 1: call_rcu(&p->tcfa_rcu, tcf_action_rcu_free) <-- defer kfree after grace period 0: p = idr_find(idr, index) 0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- fails, refcnt already 0 1: rcu_read_unlock() <-- release so freeing can run after grace period
After CPU1 calls idr_remove(), the object is no longer reachable through the IDR. CPU0's subsequent idr_find() will return NULL, and even if it still held a stale pointer, the immediate kfree() is now deferred until after the RCU grace period, so no UAF can occur.
AnalysisAI
Local privilege-bearing users can trigger a use-after-free in the Linux kernel's net/sched action subsystem (act_api) by racing concurrent NEWTFILTER and DELFILTER operations, where an action object can be kfree()'d immediately on one CPU while another CPU still holds an RCU-protected reference and calls refcount_inc_not_zero() on freed memory. Affecting the tc action lifecycle, exploitation can corrupt kernel memory and lead to local privilege escalation or denial of service (kernel panic). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local code execution and CAP_NET_ADMIN within the relevant network namespace in order to invoke tc filter operations over netlink; on distributions that permit unprivileged user namespaces this capability is reachable by an otherwise unprivileged local user. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N, C:H/I:H/A:H = 7.8 High) indicates a local attacker with some privileges and high impact, but the description makes clear this is a timing-dependent race between two concurrent operations, which in practice raises attack complexity above the AC:L rating - winning the NEWTFILTER/DELFILTER window is non-deterministic, so AC:H is more realistic (see assessed vector). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user with CAP_NET_ADMIN (potentially obtained through an unprivileged user namespace on permissive distributions) writes a program that rapidly and concurrently issues RTM_NEWTFILTER and RTM_DELFILTER netlink operations referencing the same tc action index across multiple CPUs, racing to free the action while another thread re-references it. On a successful race the freed object is reallocated and manipulated through the dangling refcount, giving the attacker a kernel use-after-free primitive usable for privilege escalation or, more easily, a kernel crash. … |
| Remediation | Vendor-released patch: upgrade to a fixed stable kernel - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or mainline 7.1 - or your distribution's equivalent backport, then reboot (or kpatch/livepatch where available). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Linux systems running affected kernel versions and assess local user account exposure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-416 – Use After Free
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39215
GHSA-vq3g-6qwh-5wj2