CVE-2026-53240

In the Linux kernel, the following vulnerability has been resolved:

xfrm: iptfs: fix use-after-free on first skb in input process payload

input process payload() stores first skb into xtfs->ra newskb under drop lock when starting partial reassembly, then unlocks and breaks out of the processing loop. The post-loop check reads xtfs->ra newskb without the lock to decide whether first skb is still owned:

if (first skb && first iplen && !defer && first skb != xtfs->ra newskb)

Between spin unlock and this read, a concurrent CPU running iptfs reassem cont() (or the drop timer hrtimer) can complete reassembly, NULL xtfs->ra newskb, and free the skb. The check then evaluates first skb != NULL as true, and pskb trim/ip summed/consume skb operate on the freed skb — a use-after-free in skbuff head cache.

Replace the unlocked read with a local bool that records whether first skb was handed to the reassembly state in the current call. The flag is set after the existing spin unlock, before the break, using the pointer equality that is stable at that point (first skb == skb iff first skb was stored in ra newskb).