Description
In the Linux kernel, the following vulnerability has been resolved:

xfrm: iptfs: fix use-after-free on first_skb in __input_process_payload

__input_process_payload() stores first_skb into xtfs->ra_newskb under
drop_lock when starting partial reassembly, then unlocks and breaks out
of the processing loop. The post-loop check reads xtfs->ra_newskb
without the lock to decide whether first_skb is still owned:

if (first_skb && first_iplen && !defer && first_skb != xtfs->ra_newskb)

Between spin_unlock and this read, a concurrent CPU running
iptfs_reassem_cont() (or the drop_timer hrtimer) can complete
reassembly, NULL xtfs->ra_newskb, and free the skb. The check then
evaluates first_skb != NULL as true, and pskb_trim/ip_summed/consume_skb
operate on the freed skb — a use-after-free in skbuff_head_cache.

Replace the unlocked read with a local bool that records whether
first_skb was handed to the reassembly state in the current call. The
flag is set after the existing spin_unlock, before the break, using the
pointer equality that is stable at that point (first_skb == skb iff
first_skb was stored in ra_newskb).
Published: 2026-06-25
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a flaw in the Linux kernel’s XFRM/iptfs packet reassembly logic, where the first socket buffer is stored and later accessed without proper locking. This use‑after‑free can result in the kernel operating on freed memory, potentially causing a crash. The description does not explicitly state a use trigger a kernel panic or execute code if the freed memory is reused maliciously.

Affected Systems

All publicly released Linux kernel versions that have the affected XFRM/iptfs reassembly code path and have not yet incorporated the patch commit 8d9a79fb5 are vulnerable. The commit was introduced in June 2026; kernels built prior to that commit are affected, while any kernel including the commit or later is considered patched.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. The EPSS score is reported as less than 1 %, suggesting that documented exploitation is rare. The vulnerability is not listed in CISA’s KEV catalog, indicating no publicly known or confirmed exploits. The flaw is a classic concurrency‑based use‑after‑free (CWE‑367). An attacker would need to inject or manipulate fragmented network packets that trigger the reassembly path. The most likely attack vector would involve crafted network traffic targeting interfaces that process such fragments; if exploitation is achieved, the kernel‑level nature of the defect implies that a crash or other adverse impact could follow.

Generated by OpenCVE AI on June 28, 2026 at 14:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes commit 8d9a79fb5 or later.
  • If a kernel upgrade is not immediately possible, block or filter suspicious fragmented traffic on network interfaces that the reassembly process handles, to reduce the likelihood that the defect is exercised.
  • Consider applying a temporary backport patch that implements the same use‑after‑free fix until an official kernel update is available.

Generated by OpenCVE AI on June 28, 2026 at 14:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 26 Jun 2026 12:15:00 +0000


Thu, 25 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: xfrm: iptfs: fix use-after-free on first_skb in __input_process_payload __input_process_payload() stores first_skb into xtfs->ra_newskb under drop_lock when starting partial reassembly, then unlocks and breaks out of the processing loop. The post-loop check reads xtfs->ra_newskb without the lock to decide whether first_skb is still owned: if (first_skb && first_iplen && !defer && first_skb != xtfs->ra_newskb) Between spin_unlock and this read, a concurrent CPU running iptfs_reassem_cont() (or the drop_timer hrtimer) can complete reassembly, NULL xtfs->ra_newskb, and free the skb. The check then evaluates first_skb != NULL as true, and pskb_trim/ip_summed/consume_skb operate on the freed skb — a use-after-free in skbuff_head_cache. Replace the unlocked read with a local bool that records whether first_skb was handed to the reassembly state in the current call. The flag is set after the existing spin_unlock, before the break, using the pointer equality that is stable at that point (first_skb == skb iff first_skb was stored in ra_newskb).
Title xfrm: iptfs: fix use-after-free on first_skb in __input_process_payload
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:40:48.086Z

Reserved: 2026-06-09T07:44:35.393Z

Link: CVE-2026-53240

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53240 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:15:08Z

Weaknesses
  • CWE-367

    Time-of-check Time-of-use (TOCTOU) Race Condition