Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local CAP_NET_ADMIN netlink access gives PR:L and AV:L; winning a kernel race for the UAF raises complexity to AC:H, with high memory-corruption impact (C/I/A:H).
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()
Fix the race by pruning the bin while still holding xfrm_policy_lock, before dropping it. Use __xfrm_policy_inexact_prune_bin() directly since the lock is already held. The wrapper xfrm_policy_inexact_prune_bin() becomes unused and is removed.
Race:
CPU0 (XFRM_MSG_DELPOLICY) CPU1 (XFRM_MSG_NEWSPDINFO) ====== ====== xfrm_policy_bysel_ctx(): spin_lock_bh(xfrm_policy_lock) bin = xfrm_policy_inexact_lookup() __xfrm_policy_unlink(pol) spin_unlock_bh(xfrm_policy_lock) xfrm_policy_kill(ret) // wide window, lock not held xfrm_hash_rebuild(): spin_lock_bh(xfrm_policy_lock) __xfrm_policy_inexact_flush(): kfree_rcu(bin) // bin freed spin_unlock_bh(xfrm_policy_lock) xfrm_policy_inexact_prune_bin(bin) // UAF: bin is freed
AnalysisAI
Local privilege escalation via use-after-free in the Linux kernel's XFRM (IPsec) policy subsystem allows a local low-privileged attacker to corrupt kernel memory by racing XFRM_MSG_DELPOLICY and XFRM_MSG_NEWSPDINFO netlink operations. In xfrm_policy_bysel_ctx(), the inexact policy bin was pruned after dropping xfrm_policy_lock, leaving a window where a concurrent xfrm_hash_rebuild() could kfree_rcu() the same bin, leading to a use-after-free. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local code execution and the ability to send XFRM/IPsec netlink messages (XFRM_MSG_DELPOLICY and XFRM_MSG_NEWSPDINFO on NETLINK_XFRM), which in turn requires CAP_NET_ADMIN in the relevant network namespace - consistent with PR:L in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, score 7.8) reflects a local, low-privilege, high-impact memory-corruption flaw, but its complexity is understated: triggering a use-after-free requires winning a tight kernel race between two concurrent netlink operations, which in practice is closer to high attack complexity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local attacker with CAP_NET_ADMIN in a network namespace (for example, a containerized workload or a low-privileged service account) rapidly issues XFRM_MSG_DELPOLICY netlink requests against inexact IPsec policies while concurrently triggering xfrm_hash_rebuild() via XFRM_MSG_NEWSPDINFO, racing to free the inexact bin during the unlocked window. A successful race produces a use-after-free in kernel memory, most likely crashing the host (DoS) and potentially being groomed toward privilege escalation. … |
| Remediation | Vendor-released patch: upgrade to a fixed kernel for your branch - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, or 7.0.13 (or 7.1 mainline) - or apply the corresponding stable commit (e.g., https://git.kernel.org/stable/c/c4c1ea36d83bf3c4569468ca5b8b614fda1bf821) and reboot, or live-patch if your distribution supports it. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Linux systems in production and identify kernel versions vulnerable to CVE-2026-53239. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-416 – Use After Free
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39330
GHSA-qmj7-fh92-4787