Impact
The Linux kernel contains a use‑after‑free bug in the fragment queue cleanup path invoked during network namespace teardown. When a fragment queue is freed but its tail pointers are not reset, a fragment that resumes after the flush later dereferences these freed pointers, leading to a kernel memory corruption that can crash the system or allow an attacker to execute arbitrary code. The flaw exists in the IPv6, nf_conntrack_reasm6, and 6lowpan reassembly modules, which share the same flush logic.
Affected Systems
All Linux kernel releases lacking the specific patch are vulnerable; this includes standard distributions and any system using the kernel’s native fragment reassembly code. The vulnerability applies to every kernel that relies on the patch that was merged.
Risk and Exploitability
The CVSS base score of 9.8 and the EPSS score of less than 1% indicate a severe flaw with a low probability of exploitation in the wild. The bug is not listed in the CISA KEV catalog. Successful exploitation would require control of the network namespace lifecycle—creating and destroying namespaces as a privileged user—and the ability to supply crafted fragmented packets or manipulate skb data. Attackers who achieve this could trigger a use‑after‑free, causing a kernel panic or providing a privilege escalation attack surface.
OpenCVE Enrichment