CVE-2026-53011
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk3th percentile — higher than 3% of all known CVEs
Summary
A use-after-free vulnerability was found in the Linux kernel's taprio network scheduler. The bug occurs in advance_sched() during schedule switching, where the 'next' pointer still references the old schedule after it has been freed via call_rcu().
Risk Assessment
An attacker could exploit this vulnerability to gain unauthorized access to kernel memory, potentially causing system crashes (DoS) or privilege escalation.
Recommendation
Immediately update the Linux kernel to a version containing the fix (commit 5a4b0c1f3e2d). Check your distribution for the patch and apply it urgently.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: net/sched: taprio: fix use-after-free in advance_sched() on schedule switch In advance_sched(), when should_change_schedules() returns true, switch_schedules() is called to promote the admin schedule to oper. switch_schedules() queues the old oper schedule for RCU freeing via call_rcu(), but 'next' still points into an entry of the old oper schedule. The subsequent 'next->end_time = end_time' and rcu_assign_pointer(q->current_entry, next) are use-after-free. Fix this by selecting 'next' from the new oper schedule immediately after switch_schedules(), and using its pre-calculated end_time. setup_first_end_time() sets the first entry's end_time to base_time + interval when the schedule is installed, so the value is already correct. The deleted 'end_time = sched_base_time(admin)' assignment was also harmful independently: it would overwrite the new first entry's pre-calculated end_time with just base_time.

