PT-2026-52334 · Linux · Linux
Published
2026-06-25
·
Updated
2026-06-25
·
CVE-2026-53239
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
In the Linux kernel, the following vulnerability has been resolved:
xfrm: policy: fix use-after-free on inexact bin in xfrm policy bysel ctx()
Fix the race by pruning the bin while still holding xfrm policy lock,
before dropping it. Use xfrm policy inexact prune bin() directly since
the lock is already held. The wrapper xfrm policy inexact prune bin()
becomes unused and is removed.
Race:
CPU0 (XFRM MSG DELPOLICY) CPU1 (XFRM MSG NEWSPDINFO)
========================== ==========================
xfrm policy bysel ctx():
spin lock bh(xfrm policy lock)
bin = xfrm policy inexact lookup()
xfrm policy unlink(pol)
spin unlock bh(xfrm policy lock)
xfrm policy kill(ret)
// wide window, lock not held
xfrm hash rebuild():
spin lock bh(xfrm policy lock)
xfrm policy inexact flush():
kfree rcu(bin) // bin freed
spin unlock bh(xfrm policy lock)
xfrm policy inexact prune bin(bin)
// UAF: bin is freed
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Linux