CVE-2026-53227 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

net: openvswitch: fix possible kfree_skb of ERR_PTR

After the patch in the "Fixes" tag, the allocation of the "reply" skb
can happen either before or after locking the ovs_mutex.

However, error cleanups still follow the classical reversed order,
assuming "reply" is allocated before locking: it is freed after unlocking.

If "reply" allocation happens after locking the mutex and it fails,
"reply" is left with an ERR_PTR, and execution jumps to the correspondent
cleanup stage which will try to free an invalid pointer.

Fix this by setting the pointer to NULL after having saved its error
value.

Published: 2026-06-25

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In the Open vSwitch implementation within the Linux kernel, the allocation of a reply socket buffer can occur before or after acquiring the ovs_mutex lock. If the buffer allocation fails after the lock has been taken, the variable is set to an ERR_PTR value. Cleanup code, however, assumes the pointer was allocated and attempts to free it after unlocking, leading to an invalid free and possible corruption of kernel memory. This flaw is a classic Use After Free vulnerability (CWE‑416) and could trigger a corruption, or provide an escalation path for privileged attackers.

Affected Systems

The flaw affects the Linux kernel’s Open vSwitch module. No specific kernel version range is provided, so all kernels that include the unpatched Open vSwitch code are potentially vulnerable. The vendor identifiers list only “Linux:Linux” and the CPE reflects the generic Linux kernel.

Risk and Exploitability

The CVSS score is not disclosed, and the EPSS score is unavailable, but the nature of the bug—an improper free in kernel space—implies a high degree of risk for denial of service and potential privilege escalation. The bug is not currently listed in CISA’s KEV catalog. Because the code path requires privileged access to the Open vSwitch module and a failure in packet allocation, exploitation is non‑trivial but conceivable in a suitable environment.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`893f139b9a6c00c097b9082a90f3041cfb3a0d20`	affected	< e248fb2e680deb2bd37bac551b72638fe4938a76
`893f139b9a6c00c097b9082a90f3041cfb3a0d20`	affected	< 0bb5b2dc1b90aa7dd1473fc8c4d813a29255ff8d
`893f139b9a6c00c097b9082a90f3041cfb3a0d20`	affected	< 971b1b37774f13acc5add0a2843f8598446b8598
`893f139b9a6c00c097b9082a90f3041cfb3a0d20`	affected	< 25fdf53698535fe8790237f5a8a9626791429785
`893f139b9a6c00c097b9082a90f3041cfb3a0d20`	affected	< e3d509a1b71396e1452060dbf84a805fd1c3c549
`893f139b9a6c00c097b9082a90f3041cfb3a0d20`	affected	< ecc55aad3390129a87106841f4b68bf3d70c9264
`893f139b9a6c00c097b9082a90f3041cfb3a0d20`	affected	< 895d1dd9057cde1687fa0f4286d47ceed0b82997
`893f139b9a6c00c097b9082a90f3041cfb3a0d20`	affected	< ee30dd2909d8b98619f4341c70ec8dc8e155ab02

Linux

affected

Version	Status	Constraints
`3.16`	affected	—
`0`	unaffected	< 3.16
`5.10.259`	unaffected	≤ 5.10.*
`5.15.210`	unaffected	≤ 5.15.*
`6.1.176`	unaffected	≤ 6.1.*
`6.6.143`	unaffected	≤ 6.6.*
`6.12.94`	unaffected	≤ 6.12.*
`6.18.36`	unaffected	≤ 6.18.*
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a release that incorporates commit 0bb5b2dc1b90aa7dd1473fc8c4d813a29255ff8d or later, which sets the pointer to NULL before freeing
Reboot the system to load the patched kernel and restart Open vSwitch after the upgrade
If an immediate kernel upgrade is not possible, disable or uninstall the Open vSwitch kernel module until the patch can be applied
Continuously monitor kernel logs for panic or Oops events that may indicate residual issues

Generated by OpenCVE AI on June 25, 2026 at 11:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00198.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0bb5b2dc1b90aa7dd1473fc8c4d813a29255ff8d
https://git.kernel.org/stable/c/25fdf53698535fe8790237f5a8a9626791429785
https://git.kernel.org/stable/c/895d1dd9057cde1687fa0f4286d47ceed0b82997
https://git.kernel.org/stable/c/971b1b37774f13acc5add0a2843f8598446b8598
https://git.kernel.org/stable/c/e248fb2e680deb2bd37bac551b72638fe4938a76
https://git.kernel.org/stable/c/e3d509a1b71396e1452060dbf84a805fd1c3c549
https://git.kernel.org/stable/c/ecc55aad3390129a87106841f4b68bf3d70c9264
https://git.kernel.org/stable/c/ee30dd2909d8b98619f4341c70ec8dc8e155ab02

History

Thu, 25 Jun 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix possible kfree_skb of ERR_PTR After the patch in the "Fixes" tag, the allocation of the "reply" skb can happen either before or after locking the ovs_mutex. However, error cleanups still follow the classical reversed order, assuming "reply" is allocated before locking: it is freed after unlocking. If "reply" allocation happens after locking the mutex and it fails, "reply" is left with an ERR_PTR, and execution jumps to the correspondent cleanup stage which will try to free an invalid pointer. Fix this by setting the pointer to NULL after having saved its error value.
Title		net: openvswitch: fix possible kfree_skb of ERR_PTR
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0bb5b2dc1b90aa7dd1473fc8c4d813a29255ff8d https://git.kernel.org/stable/c/25fdf53698535fe8790237f5a8a9626791429785 https://git.kernel.org/stable/c/895d1dd9057cde1687fa0f4286d47ceed0b82997 https://git.kernel.org/stable/c/971b1b37774f13acc5add0a2843f8598446b8598 https://git.kernel.org/stable/c/e248fb2e680deb2bd37bac551b72638fe4938a76 https://git.kernel.org/stable/c/e3d509a1b71396e1452060dbf84a805fd1c3c549 https://git.kernel.org/stable/c/ecc55aad3390129a87106841f4b68bf3d70c9264 https://git.kernel.org/stable/c/ee30dd2909d8b98619f4341c70ec8dc8e155ab02

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:39:27.229Z

Updated: 2026-06-25T08:39:27.229Z

Reserved: 2026-06-09T07:44:35.392Z

Link: CVE-2026-53227

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T12:00:14Z

Weaknesses

CWE-416
Use After Free

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object