CVE-2026-53197 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

xfrm: iptfs: fix ABBA deadlock in iptfs_destroy_state()

iptfs_destroy_state() calls hrtimer_cancel() while holding a spinlock
that the timer callback also acquires, leading to an ABBA deadlock on
SMP systems.

For the output timer (iptfs_timer):
- iptfs_destroy_state() holds x->lock, calls hrtimer_cancel()
- iptfs_delay_timer() callback takes x->lock

For the drop timer (drop_timer):
- iptfs_destroy_state() holds drop_lock, calls hrtimer_cancel()
- iptfs_drop_timer() callback takes drop_lock

Both timers use HRTIMER_MODE_REL_SOFT, so their callbacks run in softirq
context. When hrtimer_cancel() is called for a soft timer that is
currently executing on another CPU, hrtimer_cancel_wait_running() spins
on softirq_expiry_lock -- the same lock held by the softirq running the
callback. If the callback is blocked waiting for the spinlock held by
the caller of hrtimer_cancel(), a circular dependency forms:

CPU 0: holds lock_A -> waits for softirq_expiry_lock
CPU 1: holds softirq_expiry_lock -> waits for lock_A

Fix by calling hrtimer_cancel() before acquiring the respective locks.
hrtimer_cancel() is safe to call without holding any lock and will wait
for any in-progress callback to complete. For the output timer, the
lock is still acquired afterwards to drain the packet queue. For the
drop timer, the lock/unlock pair is removed entirely since it only
existed to serialize with the timer callback, which hrtimer_cancel()
already guarantees.

Found by source code audit.

Published: 2026-06-25

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An internal deadlock in the Linux kernel’s iptfs module was discovered. The iptfs_destroy_state() routine calls hrtimer_cancel while holding a spinlock that the timer callback also acquires, and because the timers run in softirq context on SMP systems, this pattern induces an ABBA deadlock. The resulting system stall can prevent the kernel networking stack from functioning normally, effectively denying service to all processes that depend on it.

Affected Systems

The flaw applies to any Linux kernel version that includes the iptfs module without the patch. No specific affected version range is provided in the data, so all kernels that contain the unpatched iptfs implementation—particularly those running on multi‑core systems—could be vulnerable.

Risk and Exploitability

The deadlock originates from an internal kernel race condition; it would require triggering the state destruction while a timer callback is executing, which normally implies local or privileged access to the network stack. The EPSS score is not available and the CVE is not listed in CISA’s KEV catalog, indicating limited observed exploitation. Without a quantified CVSS score, the severity is inferred from the potential for a system‑wide hang on SMP hardware. The breakup of lock ordering suggests a moderate to high risk of denial of service rather than remote code execution.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`4b3faf610cc63bfac972711635eafbca5e7d7117`	affected	< a13ca53e47e500854a3b9ec18b5dc83acfec863e
`4b3faf610cc63bfac972711635eafbca5e7d7117`	affected	< 822b98d354e63e8249e85473c5f3c519f3c9cecc
`4b3faf610cc63bfac972711635eafbca5e7d7117`	affected	< c8a8a75b733467b00c08b91a38dbaf207a08ed6e

Linux

affected

Version	Status	Constraints
`6.14`	affected	—
`0`	unaffected	< 6.14
`6.18.36`	unaffected	≤ 6.18.*
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a release that incorporates the fix, as implemented in commit 822b98d354e63e8249e85473c5f3c519f3c9cecc. This change cancels the timer before acquiring the spinlock, eliminating the deadlock.
If an immediate kernel upgrade is not feasible, limit usage of the iptfs firewall functionality or schedule periodic reboots to clear any lingering timer states, thereby reducing the chance of a deadlock occurring during high‑load periods.
Continuously monitor kernel logs for repeated timer cancellation or interrupt‑handling anomalies; if such issues persist, disable or migrate away from iptfs until the kernel patch can be applied.

Generated by OpenCVE AI on June 25, 2026 at 11:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00173.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/822b98d354e63e8249e85473c5f3c519f3c9cecc
https://git.kernel.org/stable/c/a13ca53e47e500854a3b9ec18b5dc83acfec863e
https://git.kernel.org/stable/c/c8a8a75b733467b00c08b91a38dbaf207a08ed6e

History

Thu, 25 Jun 2026 12:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-754

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: xfrm: iptfs: fix ABBA deadlock in iptfs_destroy_state() iptfs_destroy_state() calls hrtimer_cancel() while holding a spinlock that the timer callback also acquires, leading to an ABBA deadlock on SMP systems. For the output timer (iptfs_timer): - iptfs_destroy_state() holds x->lock, calls hrtimer_cancel() - iptfs_delay_timer() callback takes x->lock For the drop timer (drop_timer): - iptfs_destroy_state() holds drop_lock, calls hrtimer_cancel() - iptfs_drop_timer() callback takes drop_lock Both timers use HRTIMER_MODE_REL_SOFT, so their callbacks run in softirq context. When hrtimer_cancel() is called for a soft timer that is currently executing on another CPU, hrtimer_cancel_wait_running() spins on softirq_expiry_lock -- the same lock held by the softirq running the callback. If the callback is blocked waiting for the spinlock held by the caller of hrtimer_cancel(), a circular dependency forms: CPU 0: holds lock_A -> waits for softirq_expiry_lock CPU 1: holds softirq_expiry_lock -> waits for lock_A Fix by calling hrtimer_cancel() before acquiring the respective locks. hrtimer_cancel() is safe to call without holding any lock and will wait for any in-progress callback to complete. For the output timer, the lock is still acquired afterwards to drain the packet queue. For the drop timer, the lock/unlock pair is removed entirely since it only existed to serialize with the timer callback, which hrtimer_cancel() already guarantees. Found by source code audit.
Title		xfrm: iptfs: fix ABBA deadlock in iptfs_destroy_state()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/822b98d354e63e8249e85473c5f3c519f3c9cecc https://git.kernel.org/stable/c/a13ca53e47e500854a3b9ec18b5dc83acfec863e https://git.kernel.org/stable/c/c8a8a75b733467b00c08b91a38dbaf207a08ed6e

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:39:06.991Z

Updated: 2026-06-25T08:39:06.991Z

Reserved: 2026-06-09T07:44:35.391Z

Link: CVE-2026-53197

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T11:45:03Z

Weaknesses

CWE-754
Improper Check for Unusual or Exceptional Conditions

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object