CVE-2026-53239

In the Linux kernel, the following vulnerability has been resolved:

xfrm: policy: fix use-after-free on inexact bin in xfrm policy bysel ctx()

Fix the race by pruning the bin while still holding xfrm policy lock, before dropping it. Use xfrm policy inexact prune bin() directly since the lock is already held. The wrapper xfrm policy inexact prune bin() becomes unused and is removed.

Race:

CPU0 (XFRM MSG DELPOLICY) CPU1 (XFRM MSG NEWSPDINFO) ========================== ========================== xfrm policy bysel ctx(): spin lock bh(xfrm policy lock) bin = xfrm policy inexact lookup() xfrm policy unlink(pol) spin unlock bh(xfrm policy lock) xfrm policy kill(ret) // wide window, lock not held xfrm hash rebuild(): spin lock bh(xfrm policy lock) xfrm policy inexact flush(): kfree rcu(bin) // bin freed spin unlock bh(xfrm policy lock) xfrm policy inexact prune bin(bin) // UAF: bin is freed