Skip to main content

Linux Kernel EUVDEUVD-2026-39221

| CVE-2026-53270 HIGH
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-r42m-j2mw-2qf9
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local-only via IPVS admin so AV:L/PR:L; success depends on winning an RCU race during a scheduler swap, raising AC:H; UAF yields full memory read/corrupt impact C:H/I:H/A:H.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:50 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.8
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ipvs: clear the svc scheduler ptr early on edit

ip_vs_edit_service() while unbinding the old scheduler clears the svc->scheduler ptr after the scheduler module initiates RCU callbacks. This can cause packets to use the old scheduler at the time when svc->sched_data is already freed after RCU grace period.

Fix it by clearing the ptr early in ip_vs_unbind_scheduler(), before the done_service method schedules any RCU callbacks.

Also, if the new scheduler fails to initialize when replacing the old scheduler, try to restore the old scheduler while still returning the error code.

AnalysisAI

Use-after-free in the Linux kernel's IPVS (IP Virtual Server) load balancer allows a local privileged user to corrupt kernel memory by editing a virtual service's scheduler. ip_vs_edit_service() cleared svc->scheduler only after the old scheduler module had already initiated RCU callbacks, so in-flight packets could dereference svc->sched_data after it was freed at the end of the RCU grace period. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain local access with CAP_NET_ADMIN
Delivery
Create or target IPVS service with live traffic
Exploit
Edit service to swap scheduler
Install
Race RCU free of sched_data
C2
Reoccupy freed slab object
Execute
Read or corrupt kernel memory
Impact
Disclose data or escalate privileges

Vulnerability AssessmentAI

Exploitation Exploitation requires local code execution plus the ability to administer IPVS virtual services - practically CAP_NET_ADMIN in the relevant network namespace - and the target host must have IPVS enabled (CONFIG_IP_VS) and an active virtual service carrying live traffic. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely consistent in pointing to a real but constrained risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a multi-tenant or container host, an attacker with CAP_NET_ADMIN in a network namespace repeatedly edits an IPVS virtual service to swap its scheduler while driving traffic through that service, racing the RCU free of sched_data against the packet path so that in-flight packets dereference freed memory. By grooming the kernel slab to reoccupy the freed sched_data, the attacker can leak adjacent kernel memory or corrupt it toward privilege escalation. …
Remediation Vendor-released patch: upgrade to a fixed stable kernel for your branch - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or mainline 7.1, or your distribution's backport carrying the equivalent commits (see https://git.kernel.org/stable/c/e4feec3174036ba772006be74beee0efa09a9eb8 and the related stable commits). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all systems running IPVS load balancers and document current kernel versions to identify exposure scope. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39221 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy