Description
In the Linux kernel, the following vulnerability has been resolved:

inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush

On netns teardown, fqdir_pre_exit() walks the fqdir rhashtable and
flushes every fragment queue that is not yet complete using
inet_frag_queue_flush(). That helper frees all the skbs queued on the
fragment queue but does not set INET_FRAG_COMPLETE, and leaves
q->fragments_tail and q->last_run_head pointing at the freed skbs.
The queue itself stays in the rhashtable.

fqdir_pre_exit() first lowers high_thresh to 0 to stop new queue lookups,
but it cannot stop a fragment that already obtained the queue through
inet_frag_find() earlier and stalled just before taking the queue lock.
Once that fragment resumes after the flush and takes the queue lock,
it passes the INET_FRAG_COMPLETE check and then dereferences the freed
fragments_tail. inet_frag_queue_insert() reads FRAG_CB() and ->len of
that pointer and, on the append path, writes ->next_frag, causing a
slab use-after-free. IPv6, nf_conntrack_reasm6 and 6lowpan reassembly
share the same flush path and are affected as well.

Reset rb_fragments, fragments_tail and last_run_head in
inet_frag_queue_flush() so a flushed queue no longer points at the
freed skbs. A fragment that resumes after the flush and takes the
queue lock then finds an empty queue and starts a new run instead of
dereferencing the freed fragments_tail. ip_frag_reinit() already
performed this reset after its own flush, so drop the now duplicate
code there.
Published: 2026-06-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper cleanup routine for fragment queues in the Linux kernel causes a use‑after‑free during network namespace teardown. When a fragment resumes after the queue has been flushed, the code dereferences a freed fragments_tail pointer, potentially crashing the kernel or allowing an attacker who controls the freed socket buffer data to execute arbitrary code. The flaw is present in IPv6, nf_conntrack_reasm6, and 6lowpan reassembly code paths.

Affected Systems

All versions of the Linux kernel that have not yet incorporated the described patch are vulnerable. The issue impacts the standard Linux kernel used by all distributions and is specifically relevant to the IPv6, nf_conntrack_reasm6, and 6lowpan reassembly modules.

Risk and Exploitability

No public CVSS or EPSS score has been released, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited exploitation evidence. However, the use‑after‑free can render the kernel unstable or grant control to privileged attackers. Because the flaw is triggered during routine network namespace teardown, a threat actor would need the ability to create and destroy network namespaces on the affected system. Until a patch is applied, the risk is considered high for systems where network namespaces are in use.

Generated by OpenCVE AI on June 25, 2026 at 12:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch containing the commits referenced in the advisory, such as the series starting with 010c3313c4, 0e823ca0e7, 32594b09, 89b909e9, and c22599cc.
  • Rebuild or install a kernel that includes these patches, ensuring the updated code replaces the vulnerable routines.
  • Reboot the system to load the patched kernel.
  • Monitor system logs for fragmentation‑related crashes and, if possible, disable unused networking modules or reduce usage of network namespaces until the patch has been applied.

Generated by OpenCVE AI on June 25, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush On netns teardown, fqdir_pre_exit() walks the fqdir rhashtable and flushes every fragment queue that is not yet complete using inet_frag_queue_flush(). That helper frees all the skbs queued on the fragment queue but does not set INET_FRAG_COMPLETE, and leaves q->fragments_tail and q->last_run_head pointing at the freed skbs. The queue itself stays in the rhashtable. fqdir_pre_exit() first lowers high_thresh to 0 to stop new queue lookups, but it cannot stop a fragment that already obtained the queue through inet_frag_find() earlier and stalled just before taking the queue lock. Once that fragment resumes after the flush and takes the queue lock, it passes the INET_FRAG_COMPLETE check and then dereferences the freed fragments_tail. inet_frag_queue_insert() reads FRAG_CB() and ->len of that pointer and, on the append path, writes ->next_frag, causing a slab use-after-free. IPv6, nf_conntrack_reasm6 and 6lowpan reassembly share the same flush path and are affected as well. Reset rb_fragments, fragments_tail and last_run_head in inet_frag_queue_flush() so a flushed queue no longer points at the freed skbs. A fragment that resumes after the flush and takes the queue lock then finds an empty queue and starts a new run instead of dereferencing the freed fragments_tail. ip_frag_reinit() already performed this reset after its own flush, so drop the now duplicate code there.
Title inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:38:52.034Z

Reserved: 2026-06-09T07:44:35.389Z

Link: CVE-2026-53175

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T14:45:02Z

Weaknesses