CVE-2026-53239 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()

Fix the race by pruning the bin while still holding xfrm_policy_lock,
before dropping it. Use __xfrm_policy_inexact_prune_bin() directly since
the lock is already held. The wrapper xfrm_policy_inexact_prune_bin()
becomes unused and is removed.

Race:

CPU0 (XFRM_MSG_DELPOLICY) CPU1 (XFRM_MSG_NEWSPDINFO)
========================== ==========================
xfrm_policy_bysel_ctx():
spin_lock_bh(xfrm_policy_lock)
bin = xfrm_policy_inexact_lookup()
__xfrm_policy_unlink(pol)
spin_unlock_bh(xfrm_policy_lock)
xfrm_policy_kill(ret)
// wide window, lock not held
xfrm_hash_rebuild():
spin_lock_bh(xfrm_policy_lock)
__xfrm_policy_inexact_flush():
kfree_rcu(bin) // bin freed
spin_unlock_bh(xfrm_policy_lock)
xfrm_policy_inexact_prune_bin(bin)
// UAF: bin is freed

Published: 2026-06-25

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel a race condition in the xfrm policy lookup path can cause a use‑after‑free of a policy bin. The bug is triggered when one thread deletes a policy while another thread is in the process of looking it up and later attempts to prune the bin. Because the bin is freed while still referenced, an attacker could coerce a kernel crash or potentially corrupt kernel memory, leading to loss of integrity or, on some architectures, privilege escalation. This flaw corresponds to CWE‑416, a use‑after‑free weakness.

Affected Systems

The vulnerability affects the Linux kernel whenever the xfrm framework is enabled. No specific vendor version is listed, so all kernel releases prior to the commit that removed the race path are considered vulnerable. The fix is included in later kernel versions referenced by the commit logs linked in the advisory.

Risk and Exploitability

A CVSS score is not supplied; however, the nature of the flaw—a use‑after‑free—suggests a high impact. The EPSS data is unavailable, and the vulnerability is not listed in CISA KEV, indicating that no mass exploitation has been reported. The likely attack vector is local or privileged; an attacker would needFRM policy modification messages (such as XFRM_MSG_DELPOLICY and XFRM_MSG_NEWSPDINFO) to the kernel and coordinate timing with another thread. Because the race occurs during policy lookup, the opportunity window is narrow, but a skilled attacker could design sequences that trigger the crash or exploit memory corruption.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`6be3b0db6db82cf056a72cc18042048edd27f8ee`	affected	< 8fc536e9f6856230f19c7d13e71af064b6a77b22
`6be3b0db6db82cf056a72cc18042048edd27f8ee`	affected	< c4c1ea36d83bf3c4569468ca5b8b614fda1bf821
`6be3b0db6db82cf056a72cc18042048edd27f8ee`	affected	< 25c8c7fb3b0b9668c7d05e209f58c158d2b020c7
`6be3b0db6db82cf056a72cc18042048edd27f8ee`	affected	< 42827d03f8009a6a218bacab153e21f39d6a121c
`6be3b0db6db82cf056a72cc18042048edd27f8ee`	affected	< 88697cf980222d5906a37bf47662dac0732e2a0f
`6be3b0db6db82cf056a72cc18042048edd27f8ee`	affected	< b5316e2b8614a87d8736941972441cb47bfd4491
`6be3b0db6db82cf056a72cc18042048edd27f8ee`	affected	< ec82ea4eb220164d854f8734ca5a35e23e577b94
`6be3b0db6db82cf056a72cc18042048edd27f8ee`	affected	< 7f2d76c9c03257c0782afef9d95321fa04096f60

Linux

affected

Version	Status	Constraints
`5.0`	affected	—
`0`	unaffected	< 5.0
`5.10.259`	unaffected	≤ 5.10.*
`5.15.210`	unaffected	≤ 5.15.*
`6.1.176`	unaffected	≤ 6.1.*
`6.6.143`	unaffected	≤ 6.6.*
`6.12.94`	unaffected	≤ 6.12.*
`6.18.36`	unaffected	≤ 6.18.*
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the kernel patch that removes xfrm_policy_inexact_prune_bin() and fixes the race condition. The patch is present in kernel commits such as 25c8c7fb3b0b96d03f8009a6a, referenced in the advisory.
Reboot the system to load the updated kernel and ensure the vulnerable code path is no longer present.
If upgrading the kernel is not immediately possible, restrict the use of XFRM policy modification sockets and enforce least privilege; consider temporarily disabling XFRM features while the system is undergoing maintenance.

Generated by OpenCVE AI on June 25, 2026 at 11:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/25c8c7fb3b0b9668c7d05e209f58c158d2b020c7
https://git.kernel.org/stable/c/42827d03f8009a6a218bacab153e21f39d6a121c
https://git.kernel.org/stable/c/7f2d76c9c03257c0782afef9d95321fa04096f60
https://git.kernel.org/stable/c/88697cf980222d5906a37bf47662dac0732e2a0f
https://git.kernel.org/stable/c/8fc536e9f6856230f19c7d13e71af064b6a77b22
https://git.kernel.org/stable/c/b5316e2b8614a87d8736941972441cb47bfd4491
https://git.kernel.org/stable/c/c4c1ea36d83bf3c4569468ca5b8b614fda1bf821
https://git.kernel.org/stable/c/ec82ea4eb220164d854f8734ca5a35e23e577b94

History

Thu, 25 Jun 2026 11:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx() Fix the race by pruning the bin while still holding xfrm_policy_lock, before dropping it. Use __xfrm_policy_inexact_prune_bin() directly since the lock is already held. The wrapper xfrm_policy_inexact_prune_bin() becomes unused and is removed. Race: CPU0 (XFRM_MSG_DELPOLICY) CPU1 (XFRM_MSG_NEWSPDINFO) ========================== ========================== xfrm_policy_bysel_ctx(): spin_lock_bh(xfrm_policy_lock) bin = xfrm_policy_inexact_lookup() __xfrm_policy_unlink(pol) spin_unlock_bh(xfrm_policy_lock) xfrm_policy_kill(ret) // wide window, lock not held xfrm_hash_rebuild(): spin_lock_bh(xfrm_policy_lock) __xfrm_policy_inexact_flush(): kfree_rcu(bin) // bin freed spin_unlock_bh(xfrm_policy_lock) xfrm_policy_inexact_prune_bin(bin) // UAF: bin is freed
Title		xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/25c8c7fb3b0b9668c7d05e209f58c158d2b020c7 https://git.kernel.org/stable/c/42827d03f8009a6a218bacab153e21f39d6a121c https://git.kernel.org/stable/c/7f2d76c9c03257c0782afef9d95321fa04096f60 https://git.kernel.org/stable/c/88697cf980222d5906a37bf47662dac0732e2a0f https://git.kernel.org/stable/c/8fc536e9f6856230f19c7d13e71af064b6a77b22 https://git.kernel.org/stable/c/b5316e2b8614a87d8736941972441cb47bfd4491 https://git.kernel.org/stable/c/c4c1ea36d83bf3c4569468ca5b8b614fda1bf821 https://git.kernel.org/stable/c/ec82ea4eb220164d854f8734ca5a35e23e577b94

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:39:35.149Z

Updated: 2026-06-25T08:39:35.149Z

Reserved: 2026-06-09T07:44:35.393Z

Link: CVE-2026-53239

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T11:15:10Z

Weaknesses

CWE-416
Use After Free

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object