7.8

CVE-2026-53011

net/sched: taprio: fix use-after-free in advance_sched() on schedule switch

In the Linux kernel, the following vulnerability has been resolved:

net/sched: taprio: fix use-after-free in advance_sched() on schedule switch

In advance_sched(), when should_change_schedules() returns true,
switch_schedules() is called to promote the admin schedule to oper.
switch_schedules() queues the old oper schedule for RCU freeing via
call_rcu(), but 'next' still points into an entry of the old oper
schedule. The subsequent 'next->end_time = end_time' and
rcu_assign_pointer(q->current_entry, next) are use-after-free.

Fix this by selecting 'next' from the new oper schedule immediately
after switch_schedules(), and using its pre-calculated end_time.
setup_first_end_time() sets the first entry's end_time to
base_time + interval when the schedule is installed, so the value
is already correct.

The deleted 'end_time = sched_base_time(admin)' assignment was also
harmful independently: it would overwrite the new first entry's
pre-calculated end_time with just base_time.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version a3d43c0d56f1b94e74963a2fbadfb70126d92213
Version < a8fc396519ef4f081bc545e88f61241728bb78d7
Status affected
Version a3d43c0d56f1b94e74963a2fbadfb70126d92213
Version < 3471874578160a28c171a607fa069f24062634b8
Status affected
Version a3d43c0d56f1b94e74963a2fbadfb70126d92213
Version < 7256996e1ef553716817f3bfd077c2f3b48b582f
Status affected
Version a3d43c0d56f1b94e74963a2fbadfb70126d92213
Version < eee072fe16c646190d33ae69c9983d8de1562bf8
Status affected
Version a3d43c0d56f1b94e74963a2fbadfb70126d92213
Version < 1bd286fa3e21200133478ed523cc6a2788baf38a
Status affected
Version a3d43c0d56f1b94e74963a2fbadfb70126d92213
Version < b73235da5dde77ed1264f9767b62c28c9d71fd78
Status affected
Version a3d43c0d56f1b94e74963a2fbadfb70126d92213
Version < 0e62171df8ed4804d00db088f17eed06468233fa
Status affected
Version a3d43c0d56f1b94e74963a2fbadfb70126d92213
Version < 105425b1969c5affe532713cfac1c0b320d7ac2b
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version 5.2
Status affected
Version 0
Version < 5.2
Status unaffected
Version <= 5.10.*
Version 5.10.258
Status unaffected
Version <= 5.15.*
Version 5.15.209
Status unaffected
Version <= 6.1.*
Version 6.1.175
Status unaffected
Version <= 6.6.*
Version 6.6.141
Status unaffected
Version <= 6.12.*
Version 6.12.91
Status unaffected
Version <= 6.18.*
Version 6.18.33
Status unaffected
Version <= 7.0.*
Version 7.0.10
Status unaffected
Version <= *
Version 7.1
Status unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.13% 0.026
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://git.kernel.org/stable/c/a8fc396519ef4f081bc545e88f61241728bb78d7
https://git.kernel.org/stable/c/3471874578160a28c171a607fa069f24062634b8
https://git.kernel.org/stable/c/7256996e1ef553716817f3bfd077c2f3b48b582f
https://git.kernel.org/stable/c/eee072fe16c646190d33ae69c9983d8de1562bf8
https://git.kernel.org/stable/c/1bd286fa3e21200133478ed523cc6a2788baf38a
https://git.kernel.org/stable/c/b73235da5dde77ed1264f9767b62c28c9d71fd78
https://git.kernel.org/stable/c/0e62171df8ed4804d00db088f17eed06468233fa
https://git.kernel.org/stable/c/105425b1969c5affe532713cfac1c0b320d7ac2b