Description
In the Linux kernel, the following vulnerability has been resolved:

net/sched: taprio: fix use-after-free in advance_sched() on schedule switch

In advance_sched(), when should_change_schedules() returns true,
switch_schedules() is called to promote the admin schedule to oper.
switch_schedules() queues the old oper schedule for RCU freeing via
call_rcu(), but 'next' still points into an entry of the old oper
schedule. The subsequent 'next->end_time = end_time' and
rcu_assign_pointer(q->current_entry, next) are use-after-free.

Fix this by selecting 'next' from the new oper schedule immediately
after switch_schedules(), and using its pre-calculated end_time.
setup_first_end_time() sets the first entry's end_time to
base_time + interval when the schedule is installed, so the value
is already correct.

The deleted 'end_time = sched_base_time(admin)' assignment was also
harmful independently: it would overwrite the new first entry's
pre-calculated end_time with just base_time.
Published: 2026-06-24
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free within the Linux taprio network scheduler. When the scheduler switches from an administrative to an operational schedule, it frees the old schedule while still holding a pointer to its entry. Subsequent writes to the freed memory corrupt kernel data structures, which is a classic CWE‑825 weakness that can compromise the kernel’s integrity and availability.

Affected Systems

All Linux kernels that include the taprio scheduling class without the patch are vulnerable. This includes every distribution kernel that has not yet incorporated the commit sequence referenced in the advisory; any system that uses taprio remains at risk until it is updated.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, while the EPSS score of less than 1% signals a low likelihood of exploitation. The attack vector is inferred to require the ability to configure taprio schedules, either locally or remotely if that capability is exposed. The flaw is not listed in CISA KEV, and no public exploits have been reported, but the memory corruption could still be leveraged for privilege escalation or denial of service.

Generated by OpenCVE AI on June 28, 2026 at 13:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that contains the taprio use‑after‑free fix (starting with the commit that introduces the fix).
  • If an upgrade is not immediately possible, disable or unload the taprio module or class to prevent its use.
  • Restrict permissions on taprio configuration commands and monitor system logs for attempted configuration changes until the patch is applied.

Generated by OpenCVE AI on June 28, 2026 at 13:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net/sched: taprio: fix use-after-free in advance_sched() on schedule switch In advance_sched(), when should_change_schedules() returns true, switch_schedules() is called to promote the admin schedule to oper. switch_schedules() queues the old oper schedule for RCU freeing via call_rcu(), but 'next' still points into an entry of the old oper schedule. The subsequent 'next->end_time = end_time' and rcu_assign_pointer(q->current_entry, next) are use-after-free. Fix this by selecting 'next' from the new oper schedule immediately after switch_schedules(), and using its pre-calculated end_time. setup_first_end_time() sets the first entry's end_time to base_time + interval when the schedule is installed, so the value is already correct. The deleted 'end_time = sched_base_time(admin)' assignment was also harmful independently: it would overwrite the new first entry's pre-calculated end_time with just base_time.
Title net/sched: taprio: fix use-after-free in advance_sched() on schedule switch
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:38:02.986Z

Reserved: 2026-06-09T07:44:35.378Z

Link: CVE-2026-53011

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53011 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T13:45:06Z

Weaknesses
  • CWE-825

    Expired Pointer Dereference