Description
In the Linux kernel, the following vulnerability has been resolved:

inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush

On netns teardown, fqdir_pre_exit() walks the fqdir rhashtable and
flushes every fragment queue that is not yet complete using
inet_frag_queue_flush(). That helper frees all the skbs queued on the
fragment queue but does not set INET_FRAG_COMPLETE, and leaves
q->fragments_tail and q->last_run_head pointing at the freed skbs.
The queue itself stays in the rhashtable.

fqdir_pre_exit() first lowers high_thresh to 0 to stop new queue lookups,
but it cannot stop a fragment that already obtained the queue through
inet_frag_find() earlier and stalled just before taking the queue lock.
Once that fragment resumes after the flush and takes the queue lock,
it passes the INET_FRAG_COMPLETE check and then dereferences the freed
fragments_tail. inet_frag_queue_insert() reads FRAG_CB() and ->len of
that pointer and, on the append path, writes ->next_frag, causing a
slab use-after-free. IPv6, nf_conntrack_reasm6 and 6lowpan reassembly
share the same flush path and are affected as well.

Reset rb_fragments, fragments_tail and last_run_head in
inet_frag_queue_flush() so a flushed queue no longer points at the
freed skbs. A fragment that resumes after the flush and takes the
queue lock then finds an empty queue and starts a new run instead of
dereferencing the freed fragments_tail. ip_frag_reinit() already
performed this reset after its own flush, so drop the now duplicate
code there.
Published: 2026-06-25
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel contains a use‑after‑free bug in the fragment queue cleanup path invoked during network namespace teardown. When a fragment queue is freed but its tail pointers are not reset, a fragment that resumes after the flush later dereferences these freed pointers, leading to a kernel memory corruption that can crash the system or allow an attacker to execute arbitrary code. The flaw exists in the IPv6, nf_conntrack_reasm6, and 6lowpan reassembly modules, which share the same flush logic.

Affected Systems

All Linux kernel releases lacking the specific patch are vulnerable; this includes standard distributions and any system using the kernel’s native fragment reassembly code. The vulnerability applies to every kernel that relies on the patch that was merged.

Risk and Exploitability

The CVSS base score of 9.8 and the EPSS score of less than 1% indicate a severe flaw with a low probability of exploitation in the wild. The bug is not listed in the CISA KEV catalog. Successful exploitation would require control of the network namespace lifecycle—creating and destroying namespaces as a privileged user—and the ability to supply crafted fragmented packets or manipulate skb data. Attackers who achieve this could trigger a use‑after‑free, causing a kernel panic or providing a privilege escalation attack surface.

Generated by OpenCVE AI on June 28, 2026 at 15:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that resets fragment queue pointers—update to the latest stable release or apply commit 010c3313a4d178dc2d3ce958d2e5cb055e2864c1—directly addressing the CWE‑416 use‑after‑free defect.
  • Restrict the creation and deletion of network namespaces to trusted users or disable namespace support entirely via system configuration (e.g., set kernel.unprivileged_userns_clone to 0) to reduce the attack surface for this bug.
  • After updating, enable kernel crash dumps or configure a system monitoring tool to alert on kernel panics or abnormal crashes to ensure the issue has been fully mitigated.

Generated by OpenCVE AI on June 28, 2026 at 15:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 00:45:00 +0000


Sun, 28 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Sun, 28 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Thu, 25 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush On netns teardown, fqdir_pre_exit() walks the fqdir rhashtable and flushes every fragment queue that is not yet complete using inet_frag_queue_flush(). That helper frees all the skbs queued on the fragment queue but does not set INET_FRAG_COMPLETE, and leaves q->fragments_tail and q->last_run_head pointing at the freed skbs. The queue itself stays in the rhashtable. fqdir_pre_exit() first lowers high_thresh to 0 to stop new queue lookups, but it cannot stop a fragment that already obtained the queue through inet_frag_find() earlier and stalled just before taking the queue lock. Once that fragment resumes after the flush and takes the queue lock, it passes the INET_FRAG_COMPLETE check and then dereferences the freed fragments_tail. inet_frag_queue_insert() reads FRAG_CB() and ->len of that pointer and, on the append path, writes ->next_frag, causing a slab use-after-free. IPv6, nf_conntrack_reasm6 and 6lowpan reassembly share the same flush path and are affected as well. Reset rb_fragments, fragments_tail and last_run_head in inet_frag_queue_flush() so a flushed queue no longer points at the freed skbs. A fragment that resumes after the flush and takes the queue lock then finds an empty queue and starts a new run instead of dereferencing the freed fragments_tail. ip_frag_reinit() already performed this reset after its own flush, so drop the now duplicate code there.
Title inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-07-15T00:44:43.802Z

Reserved: 2026-06-09T07:44:35.389Z

Link: CVE-2026-53175

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53175 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T15:15:05Z

Weaknesses