9.8
CVE-2026-53175
- EPSS 0.34%
- Veröffentlicht 25.06.2026 08:38:52
- Zuletzt bearbeitet 06.07.2026 12:44:27
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush
In the Linux kernel, the following vulnerability has been resolved: inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush On netns teardown, fqdir_pre_exit() walks the fqdir rhashtable and flushes every fragment queue that is not yet complete using inet_frag_queue_flush(). That helper frees all the skbs queued on the fragment queue but does not set INET_FRAG_COMPLETE, and leaves q->fragments_tail and q->last_run_head pointing at the freed skbs. The queue itself stays in the rhashtable. fqdir_pre_exit() first lowers high_thresh to 0 to stop new queue lookups, but it cannot stop a fragment that already obtained the queue through inet_frag_find() earlier and stalled just before taking the queue lock. Once that fragment resumes after the flush and takes the queue lock, it passes the INET_FRAG_COMPLETE check and then dereferences the freed fragments_tail. inet_frag_queue_insert() reads FRAG_CB() and ->len of that pointer and, on the append path, writes ->next_frag, causing a slab use-after-free. IPv6, nf_conntrack_reasm6 and 6lowpan reassembly share the same flush path and are affected as well. Reset rb_fragments, fragments_tail and last_run_head in inet_frag_queue_flush() so a flushed queue no longer points at the freed skbs. A fragment that resumes after the flush and takes the queue lock then finds an empty queue and starts a new run instead of dereferencing the freed fragments_tail. ip_frag_reinit() already performed this reset after its own flush, so drop the now duplicate code there.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 6.18.3 < 6.18.36
Linux ≫ Linux Kernel Version >= 6.19.1 < 7.0.13
Linux ≫ Linux Kernel Version6.12.93
Linux ≫ Linux Kernel Version6.19 Update-
Linux ≫ Linux Kernel Version6.19 Updaterc2
Linux ≫ Linux Kernel Version6.19 Updaterc3
Linux ≫ Linux Kernel Version6.19 Updaterc4
Linux ≫ Linux Kernel Version6.19 Updaterc5
Linux ≫ Linux Kernel Version6.19 Updaterc6
Linux ≫ Linux Kernel Version6.19 Updaterc7
Linux ≫ Linux Kernel Version6.19 Updaterc8
Linux ≫ Linux Kernel Version7.1 Updaterc1
Linux ≫ Linux Kernel Version7.1 Updaterc2
Linux ≫ Linux Kernel Version7.1 Updaterc3
Linux ≫ Linux Kernel Version7.1 Updaterc4
Linux ≫ Linux Kernel Version7.1 Updaterc5
Linux ≫ Linux Kernel Version7.1 Updaterc6
Linux ≫ Linux Kernel Version7.1 Updaterc7
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.34% | 0.26 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7 | 1 | 5.9 |
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-416 Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
https://git.kernel.org/stable/c/0e823ca0e7391630784ae7dd0981b7ad170a93d9
https://git.kernel.org/stable/c/c22599cc90e1cd5f8129c8670bd68a02ff7177b4
https://git.kernel.org/stable/c/89b909e9704587bfecc1aab1d37e98faee03b9f9
https://git.kernel.org/stable/c/010c3313a4d178dc2d3ce958d2e5cb055e2864c1
https://git.kernel.org/stable/c/32594b09854970d7ba83eb2dc8c69a2edd158c8e
https://access.redhat.com/security/cve/CVE-2026-53175
https://bugzilla.redhat.com/show_bug.cgi?id=2492840
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53175.json