Description
In the Linux kernel, the following vulnerability has been resolved:

net: openvswitch: fix possible kfree_skb of ERR_PTR

After the patch in the "Fixes" tag, the allocation of the "reply" skb
can happen either before or after locking the ovs_mutex.

However, error cleanups still follow the classical reversed order,
assuming "reply" is allocated before locking: it is freed after unlocking.

If "reply" allocation happens after locking the mutex and it fails,
"reply" is left with an ERR_PTR, and execution jumps to the correspondent
cleanup stage which will try to free an invalid pointer.

Fix this by setting the pointer to NULL after having saved its error
value.
Published: 2026-06-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Open vSwitch implementation within the Linux kernel, the allocation of a reply socket buffer can occur before or after acquiring the ovs_mutex lock. If the buffer allocation fails after the set to an ERR_PTR value. Cleanup code, however, assumes the pointer was allocated and attempts to free it after unlocking, leading to an invalid free and possible corruption of kernel memory. This flaw could trigger a corruption or provide an escalation path for privileged attackers. The description does not specify the exact attack vector; based on the affected component, it is inferred that exploitation would require privileged access to the Open vSwitch kernel module.

Affected Systems

The flaw affects the Linux kernel’s Open vSwitch module. No specific kernel version range is provided, so all kernels that include the unpatched Open vSwitch code are potentially vulnerable. The vendor identifiers list only “Linux:Linux” reflects the generic Linux kernel.

Risk and Exploitability

The CVSS score is 5.5, indicating moderate severity. The EPSS score is less than 1%, suggesting a low likelihood of exploitation in the general population, and the vulnerability is not listed in CISA’s KEV catalog. The flaw involves an invalid free in kernel space, which can lead to kernel crashes or denial of service. Exfiltration or other exploitation would require privileged access to the Open vSwitch module and a failure during packet allocation, making it non‑trivial but possible in a suitable environment.

Generated by OpenCVE AI on June 26, 2026 at 17:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that incorporates commit 0bb5b2dc1b90aa7dd1473fc8c4d813a29255ff8d or later, which sets the pointer to NULL before freeing
  • Reboot the system to load the patched kernel and restart Open vSwitch after the upgrade
  • If an immediate kernel upgrade is not possible, disable or uninstall the Open vSwitch kernel module until the patch can be applied

Generated by OpenCVE AI on June 26, 2026 at 17:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Fri, 26 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 26 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-763
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Thu, 25 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix possible kfree_skb of ERR_PTR After the patch in the "Fixes" tag, the allocation of the "reply" skb can happen either before or after locking the ovs_mutex. However, error cleanups still follow the classical reversed order, assuming "reply" is allocated before locking: it is freed after unlocking. If "reply" allocation happens after locking the mutex and it fails, "reply" is left with an ERR_PTR, and execution jumps to the correspondent cleanup stage which will try to free an invalid pointer. Fix this by setting the pointer to NULL after having saved its error value.
Title net: openvswitch: fix possible kfree_skb of ERR_PTR
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:27.229Z

Reserved: 2026-06-09T07:44:35.392Z

Link: CVE-2026-53227

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53227 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T18:00:06Z

Weaknesses
  • CWE-763

    Release of Invalid Pointer or Reference