CVE-2026-53175

In the Linux kernel, the following vulnerability has been resolved:

inet: frags: fix use-after-free caused by the fqdir pre exit() flush

On netns teardown, fqdir pre exit() walks the fqdir rhashtable and flushes every fragment queue that is not yet complete using inet frag queue flush(). That helper frees all the skbs queued on the fragment queue but does not set INET FRAG COMPLETE, and leaves q->fragments tail and q->last run head pointing at the freed skbs. The queue itself stays in the rhashtable.

fqdir pre exit() first lowers high thresh to 0 to stop new queue lookups, but it cannot stop a fragment that already obtained the queue through inet frag find() earlier and stalled just before taking the queue lock. Once that fragment resumes after the flush and takes the queue lock, it passes the INET FRAG COMPLETE check and then dereferences the freed fragments tail. inet frag queue insert() reads FRAG CB() and ->len of that pointer and, on the append path, writes ->next frag, causing a slab use-after-free. IPv6, nf conntrack reasm6 and 6lowpan reassembly share the same flush path and are affected as well.

Reset rb fragments, fragments tail and last run head in inet frag queue flush() so a flushed queue no longer points at the freed skbs. A fragment that resumes after the flush and takes the queue lock then finds an empty queue and starts a new run instead of dereferencing the freed fragments tail. ip frag reinit() already performed this reset after its own flush, so drop the now duplicate code there.