Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local-only via IPVS admin so AV:L/PR:L; success depends on winning an RCU race during a scheduler swap, raising AC:H; UAF yields full memory read/corrupt impact C:H/I:H/A:H.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
ipvs: clear the svc scheduler ptr early on edit
ip_vs_edit_service() while unbinding the old scheduler clears the svc->scheduler ptr after the scheduler module initiates RCU callbacks. This can cause packets to use the old scheduler at the time when svc->sched_data is already freed after RCU grace period.
Fix it by clearing the ptr early in ip_vs_unbind_scheduler(), before the done_service method schedules any RCU callbacks.
Also, if the new scheduler fails to initialize when replacing the old scheduler, try to restore the old scheduler while still returning the error code.
AnalysisAI
Use-after-free in the Linux kernel's IPVS (IP Virtual Server) load balancer allows a local privileged user to corrupt kernel memory by editing a virtual service's scheduler. ip_vs_edit_service() cleared svc->scheduler only after the old scheduler module had already initiated RCU callbacks, so in-flight packets could dereference svc->sched_data after it was freed at the end of the RCU grace period. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local code execution plus the ability to administer IPVS virtual services - practically CAP_NET_ADMIN in the relevant network namespace - and the target host must have IPVS enabled (CONFIG_IP_VS) and an active virtual service carrying live traffic. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are largely consistent in pointing to a real but constrained risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a multi-tenant or container host, an attacker with CAP_NET_ADMIN in a network namespace repeatedly edits an IPVS virtual service to swap its scheduler while driving traffic through that service, racing the RCU free of sched_data against the packet path so that in-flight packets dereference freed memory. By grooming the kernel slab to reoccupy the freed sched_data, the attacker can leak adjacent kernel memory or corrupt it toward privilege escalation. … |
| Remediation | Vendor-released patch: upgrade to a fixed stable kernel for your branch - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or mainline 7.1, or your distribution's backport carrying the equivalent commits (see https://git.kernel.org/stable/c/e4feec3174036ba772006be74beee0efa09a9eb8 and the related stable commits). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all systems running IPVS load balancers and document current kernel versions to identify exposure scope. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39221
GHSA-r42m-j2mw-2qf9