CVE Catalog

CVE-2026-53239

HighCVSS 7.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.14%

3th percentile — higher than 3% of all known CVEs

Summary

A use-after-free vulnerability was found in the Linux kernel's xfrm_policy_bysel_ctx() function for XFRM policies. The issue is a race condition where an inexact policy bin is freed during hash rebuild while another thread still uses it after releasing the lock.

Risk Assessment

An attacker could exploit this to access freed memory, potentially causing a kernel panic or privilege escalation in environments using XFRM (e.g., VPN/IPsec).

Recommendation

Immediately update the Linux kernel to a version containing the fix that prunes the bin before releasing the xfrm_policy_lock.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx() Fix the race by pruning the bin while still holding xfrm_policy_lock, before dropping it. Use __xfrm_policy_inexact_prune_bin() directly since the lock is already held. The wrapper xfrm_policy_inexact_prune_bin() becomes unused and is removed. Race: CPU0 (XFRM_MSG_DELPOLICY) CPU1 (XFRM_MSG_NEWSPDINFO) ========================== ========================== xfrm_policy_bysel_ctx(): spin_lock_bh(xfrm_policy_lock) bin = xfrm_policy_inexact_lookup() __xfrm_policy_unlink(pol) spin_unlock_bh(xfrm_policy_lock) xfrm_policy_kill(ret) // wide window, lock not held xfrm_hash_rebuild(): spin_lock_bh(xfrm_policy_lock) __xfrm_policy_inexact_flush(): kfree_rcu(bin) // bin freed spin_unlock_bh(xfrm_policy_lock) xfrm_policy_inexact_prune_bin(bin) // UAF: bin is freed

Vulnerability data from NVD (NIST) · CISA KEV · EPSS