CVE-2026-53011 - Vulnerability Details

- net/sched: taprio: fix use-after-free in advance_sched() on schedule switch

Description

In the Linux kernel, the following vulnerability has been resolved:

net/sched: taprio: fix use-after-free in advance_sched() on schedule switch

In advance_sched(), when should_change_schedules() returns true,
switch_schedules() is called to promote the admin schedule to oper.
switch_schedules() queues the old oper schedule for RCU freeing via
call_rcu(), but 'next' still points into an entry of the old oper
schedule. The subsequent 'next->end_time = end_time' and
rcu_assign_pointer(q->current_entry, next) are use-after-free.

Fix this by selecting 'next' from the new oper schedule immediately
after switch_schedules(), and using its pre-calculated end_time.
setup_first_end_time() sets the first entry's end_time to
base_time + interval when the schedule is installed, so the value
is already correct.

The deleted 'end_time = sched_base_time(admin)' assignment was also
harmful independently: it would overwrite the new first entry's
pre-calculated end_time with just base_time.

Published: 2026-06-24

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`a3d43c0d56f1b94e74963a2fbadfb70126d92213`	affected	< a8fc396519ef4f081bc545e88f61241728bb78d7
`a3d43c0d56f1b94e74963a2fbadfb70126d92213`	affected	< 3471874578160a28c171a607fa069f24062634b8
`a3d43c0d56f1b94e74963a2fbadfb70126d92213`	affected	< 7256996e1ef553716817f3bfd077c2f3b48b582f
`a3d43c0d56f1b94e74963a2fbadfb70126d92213`	affected	< eee072fe16c646190d33ae69c9983d8de1562bf8
`a3d43c0d56f1b94e74963a2fbadfb70126d92213`	affected	< 1bd286fa3e21200133478ed523cc6a2788baf38a
`a3d43c0d56f1b94e74963a2fbadfb70126d92213`	affected	< b73235da5dde77ed1264f9767b62c28c9d71fd78
`a3d43c0d56f1b94e74963a2fbadfb70126d92213`	affected	< 0e62171df8ed4804d00db088f17eed06468233fa
`a3d43c0d56f1b94e74963a2fbadfb70126d92213`	affected	< 105425b1969c5affe532713cfac1c0b320d7ac2b

Linux

affected

Version	Status	Constraints
`5.2`	affected	—
`0`	unaffected	< 5.2
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.141`	unaffected	≤ 6.6.*
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0e62171df8ed4804d00db088f17eed06468233fa
https://git.kernel.org/stable/c/105425b1969c5affe532713cfac1c0b320d7ac2b
https://git.kernel.org/stable/c/1bd286fa3e21200133478ed523cc6a2788baf38a
https://git.kernel.org/stable/c/3471874578160a28c171a607fa069f24062634b8
https://git.kernel.org/stable/c/7256996e1ef553716817f3bfd077c2f3b48b582f
https://git.kernel.org/stable/c/a8fc396519ef4f081bc545e88f61241728bb78d7
https://git.kernel.org/stable/c/b73235da5dde77ed1264f9767b62c28c9d71fd78
https://git.kernel.org/stable/c/eee072fe16c646190d33ae69c9983d8de1562bf8

History

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net/sched: taprio: fix use-after-free in advance_sched() on schedule switch In advance_sched(), when should_change_schedules() returns true, switch_schedules() is called to promote the admin schedule to oper. switch_schedules() queues the old oper schedule for RCU freeing via call_rcu(), but 'next' still points into an entry of the old oper schedule. The subsequent 'next->end_time = end_time' and rcu_assign_pointer(q->current_entry, next) are use-after-free. Fix this by selecting 'next' from the new oper schedule immediately after switch_schedules(), and using its pre-calculated end_time. setup_first_end_time() sets the first entry's end_time to base_time + interval when the schedule is installed, so the value is already correct. The deleted 'end_time = sched_base_time(admin)' assignment was also harmful independently: it would overwrite the new first entry's pre-calculated end_time with just base_time.
Title		net/sched: taprio: fix use-after-free in advance_sched() on schedule switch
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0e62171df8ed4804d00db088f17eed06468233fa https://git.kernel.org/stable/c/105425b1969c5affe532713cfac1c0b320d7ac2b https://git.kernel.org/stable/c/1bd286fa3e21200133478ed523cc6a2788baf38a https://git.kernel.org/stable/c/3471874578160a28c171a607fa069f24062634b8 https://git.kernel.org/stable/c/7256996e1ef553716817f3bfd077c2f3b48b582f https://git.kernel.org/stable/c/a8fc396519ef4f081bc545e88f61241728bb78d7 https://git.kernel.org/stable/c/b73235da5dde77ed1264f9767b62c28c9d71fd78 https://git.kernel.org/stable/c/eee072fe16c646190d33ae69c9983d8de1562bf8

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:29:22.082Z

Updated: 2026-06-24T16:29:22.082Z

Reserved: 2026-06-09T07:44:35.378Z

Link: CVE-2026-53011

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

No weakness.

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object