Skip to main content

Linux Kernel EUVDEUVD-2026-35409

| CVE-2026-46319 HIGH
Use After Free (CWE-416)
2026-06-09 Linux GHSA-q9hw-vhj5-hw57
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local tc syscall with CAP_NET_ADMIN (AV:L, PR:L); winning the tiny RCU race needs SMP timing and heap grooming (AC:H); successful UAF yields full kernel C/I/A.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Red Hat
7.0 HIGH
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 14, 2026 - 06:32 vuln.today
CVSS changed
Jun 14, 2026 - 06:22 NVD
7.8 (HIGH)
Patch available
Jun 09, 2026 - 14:01 EUVD
CVE Published
Jun 09, 2026 - 12:11 cve.org
HIGH 7.8
CVE Published
Jun 09, 2026 - 12:11 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net/sched: act_ct: Only release RCU read lock after ct_ft

When looking up a flow table in act_ct in tcf_ct_flow_table_get(), rhashtable_lookup_fast() internally opens and closes an RCU read critical section before returning ct_ft. The tcf_ct_flow_table_cleanup_work() can complete before refcount_inc_not_zero() is invoked on the returned ct_ft resulting in a UAF on the already freed ct_ft object. This vulnerability can lead to privilege escalation.

Analysis from zdi-disclosures@trendmicro.com: When initializing act_ct, tcf_ct_init() is called, which internally triggers tcf_ct_flow_table_get().

static int tcf_ct_flow_table_get(struct net *net, struct tcf_ct_params *params)

{ struct zones_ht_key key = { .net = net, .zone = params->zone }; struct tcf_ct_flow_table *ct_ft; int err = -ENOMEM;

mutex_lock(&zones_mutex); ct_ft = rhashtable_lookup_fast(&zones_ht, &key, zones_params); // [1] if (ct_ft && refcount_inc_not_zero(&ct_ft->ref)) // [2] goto out_unlock; ... }

static __always_inline void *rhashtable_lookup_fast( struct rhashtable *ht, const void *key, const struct rhashtable_params params) { void *obj;

rcu_read_lock(); obj = rhashtable_lookup(ht, key, params); rcu_read_unlock();

return obj; }

At [1], rhashtable_lookup_fast() looks up and returns the corresponding ct_ft from zones_ht . The lookup is performed within an RCU read critical section through rcu_read_lock() / rcu_read_unlock(), which prevents the object from being freed. However, at the point of function return, rcu_read_unlock() has already been called, and there is nothing preventing ct_ft from being freed before reaching refcount_inc_not_zero(&ct_ft->ref) at [2]. This interval becomes the race window, during which ct_ft can be freed.

Free Process:

tcf_ct_flow_table_put() is executed through the path tcf_ct_cleanup() call_rcu() tcf_ct_params_free_rcu() tcf_ct_params_free() tcf_ct_flow_table_put().

static void tcf_ct_flow_table_put(struct tcf_ct_flow_table *ct_ft) { if (refcount_dec_and_test(&ct_ft->ref)) { rhashtable_remove_fast(&zones_ht, &ct_ft->node, zones_params); INIT_RCU_WORK(&ct_ft->rwork, tcf_ct_flow_table_cleanup_work); // [3] queue_rcu_work(act_ct_wq, &ct_ft->rwork); } }

At [3], tcf_ct_flow_table_cleanup_work() is scheduled as RCU work

static void tcf_ct_flow_table_cleanup_work(struct work_struct *work)

{ struct tcf_ct_flow_table *ct_ft; struct flow_block *block;

ct_ft = container_of(to_rcu_work(work), struct tcf_ct_flow_table, rwork); nf_flow_table_free(&ct_ft->nf_ft); block = &ct_ft->nf_ft.flow_block; down_write(&ct_ft->nf_ft.flow_block_lock); WARN_ON(!list_empty(&block->cb_list)); up_write(&ct_ft->nf_ft.flow_block_lock); kfree(ct_ft); // [4]

module_put(THIS_MODULE); }

tcf_ct_flow_table_cleanup_work() frees ct_ft at [4]. When this function executes between [1] and [2], UAF occurs.

This race condition has a very short race window, making it generally difficult to trigger. Therefore, to trigger the vulnerability an msleep(100) was inserted after[1]

AnalysisAI

Local privilege escalation in the Linux kernel's net/sched act_ct traffic control action stems from a use-after-free in tcf_ct_flow_table_get(), where rhashtable_lookup_fast() releases the RCU read lock before refcount_inc_not_zero() can pin the returned ct_ft object. EPSS is very low (0.02%, 7th percentile) and no public exploit identified at time of analysis, but Trend Micro ZDI provided detailed root-cause analysis and stable-tree patches are merged across 5.10 through 6.18 lines. Successful exploitation grants attacker-controlled kernel memory access enabling privilege escalation to root.

Technical ContextAI

The vulnerable code lives in net/sched/act_ct.c, the Traffic Control 'connection tracking' action that integrates Netfilter conntrack and the flow offload table into the tc subsystem. tcf_ct_flow_table_get() looks up a per-zone tcf_ct_flow_table via rhashtable_lookup_fast(), which opens and closes its own RCU read-side critical section internally and returns the pointer with no reference held. Between that return and the refcount_inc_not_zero() bump, a concurrent tcf_ct_cleanup() path can run tcf_ct_params_free_rcu() → tcf_ct_flow_table_put(), which drops the last reference, removes the node from zones_ht, and schedules tcf_ct_flow_table_cleanup_work() (the RCU work that calls kfree(ct_ft)). This is a classic CWE-416 use-after-free caused by an RCU read-critical-section that ends too early; the fix keeps the RCU read lock held across the lookup and refcount bump. Affected CPE is cpe:2.3:a:linux:linux:*, i.e. mainline Linux up to the fixed stable releases.

RemediationAI

Vendor-released patch: update to a fixed stable kernel - at minimum Linux 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or mainline 7.1-rc1 - pulling commits ece578ca61e5 / a2e0c045c87a / 67c9ecc9f257 / f23424a0ddad / 17dfb67cb399 / 4c727c6967a4 / 3e20e1b3058e / f462dca0c841 from https://git.kernel.org/stable/c/. Apply your distribution's corresponding security update (RHEL, Ubuntu, SUSE, Debian, Amazon Linux) once available. As a compensating control until patched, prevent unprivileged users from creating tc act_ct rules: disable unprivileged user namespaces (sysctl kernel.unprivileged_userns_clone=0 on Debian/Ubuntu, or user.max_user_namespaces=0) which blocks the typical container-escape vector but breaks rootless containers and unprivileged sandboxing; drop CAP_NET_ADMIN from container/workload profiles (seccomp/AppArmor/SELinux) which breaks workloads that legitimately program tc/netfilter; or unload/blacklist the act_ct module (modprobe -r act_ct, install act_ct /bin/false in modprobe.d) which breaks any conntrack-aware tc pipeline including OVS hardware offload setups.

CVE-2016-7552 CRITICAL POC
9.8 Apr 12

On the Trend Micro Threat Discovery Appliance 2.6.1062r1, directory traversal when processing a session_id cookie allows

CVE-2016-7547 CRITICAL POC
9.8 Apr 12

A command execution flaw on the Trend Micro Threat Discovery Appliance 2.6.1062r1 exists with the timezone parameter in

CVE-2017-11394 CRITICAL POC
9.8 Aug 03

Proxy command injection vulnerability in Trend Micro OfficeScan 11 and XG (12) allows remote attackers to execute arbitr

CVE-2017-11391 HIGH POC
8.8 Aug 03

Proxy command injection vulnerability in Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 allows remote att

CVE-2017-11392 HIGH POC
8.8 Aug 03

Proxy command injection vulnerability in Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 allows remote att

CVE-2016-6267 HIGH POC
8.8 Jan 30

SnmpUtils in Trend Micro Smart Protection Server 2.5 before build 2200, 2.6 before build 2106, and 3.0 before build 1330

CVE-2017-6398 HIGH POC
8.8 Mar 14

An issue was discovered in Trend Micro InterScan Messaging Security (Virtual Appliance) 9.1-1600. Rated high severity (C

CVE-2017-7896 MEDIUM POC
6.1 Apr 18

Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 before CP 1644 has XSS. Rated medium severity (CV

CVE-2017-14078 CRITICAL
9.8 Sep 22

SQL Injection vulnerabilities in Trend Micro Mobile Security (Enterprise) versions before 9.7 Patch 3 allow remote attac

CVE-2016-3987 CRITICAL POC
9.8 Apr 12

The HTTP server in Trend Micro Password Manager allows remote web servers to execute arbitrary commands via the url para

CVE-2017-14089 CRITICAL POC
9.8 Oct 06

An Unauthorized Memory Corruption vulnerability in Trend Micro OfficeScan 11.0 and XG may allow remote unauthenticated u

CVE-2020-8606 CRITICAL POC
9.8 May 27

A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to bypass authent

Vendor StatusVendor

SUSE

Severity: Important
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

EUVD-2026-35409 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy