CVE-2026-53264 (GCVE-0-2026-53264)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-25 08:39
VLAI
Title
net/sched: act_api: use RCU with deferred freeing for action lifecycle
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: act_api: use RCU with deferred freeing for action lifecycle
When NEWTFILTER and DELFILTER are run concurrently it is possible to create a
race with an associated action.
Let's illustrate with CPU0 running NEWTFILTER and CPU1 running DELFILTER:
0: mutex_lock() <-- holds the idr lock
0: rcu_read_lock()
0: p = idr_find(idr, index) <-- action p is valid (RCU protects IDR)
0: mutex_unlock() <-- releases the idr lock
1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held
1: idr_remove(idr, index) <-- Action removed from IDR
1: mutex_unlock() <-- mutex released allowing us to delete the action
1: tcf_action_cleanup(p); kfree(p) <-- Kfrees p immediately, no deferral
0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- ouch, UAF p points to freed memory
This patch fixes the race condition between NEWTFILTER and DELFILTER by
adding struct rcu_head to tc_action used in the deferral and introducing a
call_rcu() in the delete path to defer the final kfree().
Note: this is a revert of commit d7fb60b9cafb ("net_sched: get rid of tcfa_rcu")
but also modernization/simplification to directly use kfree_rcu().
Let's illustrate the new restored code path:
0: rcu_read_lock()
1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held
1: idr_remove(idr, index)
1: mutex_unlock()
1: call_rcu(&p->tcfa_rcu, tcf_action_rcu_free) <-- defer kfree after grace period
0: p = idr_find(idr, index)
0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- fails, refcnt already 0
1: rcu_read_unlock() <-- release so freeing can run after grace period
After CPU1 calls idr_remove(), the object is no longer reachable through the IDR.
CPU0's subsequent idr_find() will return NULL, and even if it still held a
stale pointer, the immediate kfree() is now deferred until after the RCU grace
period, so no UAF can occur.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da , < 98b2e40879abf0245be5a5b7af69e0f6ff524ac3
(git)
Affected: d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da , < 18af5d2ef0c4f65787fd1280c8b23286b9f2a835 (git) Affected: d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da , < 1f1b98fea6b9ea30507d0f2fbff6750292d097e2 (git) Affected: d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da , < 8b136f18ac4b2ace5aaad3305b3f8a5d8165a009 (git) Affected: d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da , < 5dd51e09020c65aa53cf128e5e3517cd53b3c113 (git) Affected: d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da , < b60e9391142e983fab2be53497aa8f71fdd09cd5 (git) Affected: d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da , < 91d105d2cbe002f9c7b43a6183adedc37e1da1f7 (git) Affected: d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da , < 5057e1aca011e51ef51498c940ef96f3d3e8a305 (git) |
|
| Linux | Linux |
Affected:
4.14
Unaffected: 0 , < 4.14 (semver) Unaffected: 5.10.259 , ≤ 5.10.* (semver) Unaffected: 5.15.210 , ≤ 5.15.* (semver) Unaffected: 6.1.176 , ≤ 6.1.* (semver) Unaffected: 6.6.143 , ≤ 6.6.* (semver) Unaffected: 6.12.94 , ≤ 6.12.* (semver) Unaffected: 6.18.36 , ≤ 6.18.* (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/act_api.h",
"net/sched/act_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "98b2e40879abf0245be5a5b7af69e0f6ff524ac3",
"status": "affected",
"version": "d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da",
"versionType": "git"
},
{
"lessThan": "18af5d2ef0c4f65787fd1280c8b23286b9f2a835",
"status": "affected",
"version": "d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da",
"versionType": "git"
},
{
"lessThan": "1f1b98fea6b9ea30507d0f2fbff6750292d097e2",
"status": "affected",
"version": "d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da",
"versionType": "git"
},
{
"lessThan": "8b136f18ac4b2ace5aaad3305b3f8a5d8165a009",
"status": "affected",
"version": "d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da",
"versionType": "git"
},
{
"lessThan": "5dd51e09020c65aa53cf128e5e3517cd53b3c113",
"status": "affected",
"version": "d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da",
"versionType": "git"
},
{
"lessThan": "b60e9391142e983fab2be53497aa8f71fdd09cd5",
"status": "affected",
"version": "d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da",
"versionType": "git"
},
{
"lessThan": "91d105d2cbe002f9c7b43a6183adedc37e1da1f7",
"status": "affected",
"version": "d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da",
"versionType": "git"
},
{
"lessThan": "5057e1aca011e51ef51498c940ef96f3d3e8a305",
"status": "affected",
"version": "d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/act_api.h",
"net/sched/act_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_api: use RCU with deferred freeing for action lifecycle\n\nWhen NEWTFILTER and DELFILTER are run concurrently it is possible to create a\nrace with an associated action.\n\nLet\u0027s illustrate with CPU0 running NEWTFILTER and CPU1 running DELFILTER:\n\n 0: mutex_lock() \u003c-- holds the idr lock\n 0: rcu_read_lock()\n 0: p = idr_find(idr, index) \u003c-- action p is valid (RCU protects IDR)\n 0: mutex_unlock() \u003c-- releases the idr lock\n 1: refcount_dec_and_mutex_lock() \u003c-- refcnt 1-\u003e0, mutex held\n 1: idr_remove(idr, index) \u003c-- Action removed from IDR\n 1: mutex_unlock() \u003c-- mutex released allowing us to delete the action\n 1: tcf_action_cleanup(p); kfree(p) \u003c-- Kfrees p immediately, no deferral\n 0: refcount_inc_not_zero(\u0026p-\u003etcfa_refcnt) \u003c-- ouch, UAF p points to freed memory\n\nThis patch fixes the race condition between NEWTFILTER and DELFILTER by\nadding struct rcu_head to tc_action used in the deferral and introducing a\ncall_rcu() in the delete path to defer the final kfree().\n\nNote: this is a revert of commit d7fb60b9cafb (\"net_sched: get rid of tcfa_rcu\")\nbut also modernization/simplification to directly use kfree_rcu().\n\nLet\u0027s illustrate the new restored code path:\n\n 0: rcu_read_lock()\n 1: refcount_dec_and_mutex_lock() \u003c-- refcnt 1-\u003e0, mutex held\n 1: idr_remove(idr, index)\n 1: mutex_unlock()\n 1: call_rcu(\u0026p-\u003etcfa_rcu, tcf_action_rcu_free) \u003c-- defer kfree after grace period\n 0: p = idr_find(idr, index)\n 0: refcount_inc_not_zero(\u0026p-\u003etcfa_refcnt) \u003c-- fails, refcnt already 0\n 1: rcu_read_unlock() \u003c-- release so freeing can run after grace period\n\nAfter CPU1 calls idr_remove(), the object is no longer reachable through the IDR.\nCPU0\u0027s subsequent idr_find() will return NULL, and even if it still held a\nstale pointer, the immediate kfree() is now deferred until after the RCU grace\nperiod, so no UAF can occur."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T08:39:51.870Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/98b2e40879abf0245be5a5b7af69e0f6ff524ac3"
},
{
"url": "https://git.kernel.org/stable/c/18af5d2ef0c4f65787fd1280c8b23286b9f2a835"
},
{
"url": "https://git.kernel.org/stable/c/1f1b98fea6b9ea30507d0f2fbff6750292d097e2"
},
{
"url": "https://git.kernel.org/stable/c/8b136f18ac4b2ace5aaad3305b3f8a5d8165a009"
},
{
"url": "https://git.kernel.org/stable/c/5dd51e09020c65aa53cf128e5e3517cd53b3c113"
},
{
"url": "https://git.kernel.org/stable/c/b60e9391142e983fab2be53497aa8f71fdd09cd5"
},
{
"url": "https://git.kernel.org/stable/c/91d105d2cbe002f9c7b43a6183adedc37e1da1f7"
},
{
"url": "https://git.kernel.org/stable/c/5057e1aca011e51ef51498c940ef96f3d3e8a305"
}
],
"title": "net/sched: act_api: use RCU with deferred freeing for action lifecycle",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53264",
"datePublished": "2026-06-25T08:39:51.870Z",
"dateReserved": "2026-06-09T07:44:35.395Z",
"dateUpdated": "2026-06-25T08:39:51.870Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-53264",
"date": "2026-06-25",
"epss": "0.00172",
"percentile": "0.06847"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…