Description
In the Linux kernel, the following vulnerability has been resolved:

xfrm: iptfs: fix use-after-free on first_skb in __input_process_payload

__input_process_payload() stores first_skb into xtfs->ra_newskb under
drop_lock when starting partial reassembly, then unlocks and breaks out
of the processing loop. The post-loop check reads xtfs->ra_newskb
without the lock to decide whether first_skb is still owned:

if (first_skb && first_iplen && !defer && first_skb != xtfs->ra_newskb)

Between spin_unlock and this read, a concurrent CPU running
iptfs_reassem_cont() (or the drop_timer hrtimer) can complete
reassembly, NULL xtfs->ra_newskb, and free the skb. The check then
evaluates first_skb != NULL as true, and pskb_trim/ip_summed/consume_skb
operate on the freed skb — a use-after-free in skbuff_head_cache.

Replace the unlocked read with a local bool that records whether
first_skb was handed to the reassembly state in the current call. The
flag is set after the existing spin_unlock, before the break, using the
pointer equality that is stable at that point (first_skb == skb iff
first_skb was stored in ra_newskb).
Published: 2026-06-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free occurs in the __input_process_payload() function within the XFRM/iptfs subsystem when the first socket buffer is stored and later accessed without proper locking after the processing loop exits. If a concurrent reassembly or timer frees the buffer, subsequent operations on that freed memory trigger a kernel‑space use‑after‑free. Based on the description, it is inferred that this flaw may lead to kernel crashes or possibly arbitrary code execution, effectively providing an attacker with kernel‑level privileges or denial of service.

Affected Systems

All Linux kernel builds that include the vulnerable XFRM/iptfs reassembly code are affected. The specific fix is implemented in commit 8d9a79fbf5172d9c4c0146057af2360913265a11; any kernel version prior to that commit is vulnerable, while kernels containing that commit or later are considered patched.

Risk and Exploitability

The vulnerability is a classic use‑after‑free (CWE‑416). Although no CVSS score or EPSS information is available, the nature of the flaw suggests the possibility that an attacker could trigger the reassembly path by sending crafted packet fragments. Based on the description, it is inferred that exploitation could result in kernel crashes or kernel‑level code execution, effectively providing denial of service or escalation of privileges. The vulnerability is not listed in CISA’s KEV catalog. It is inferred that the attack vector would likely involve network traffic targeting the reassembly logic, and because exploitation requires only such network access, the risk is considered potentially high, yet the lack of publicly available exploit details or score metrics means security teams should treat it as a serious kernel flaw worth addressing promptly.

Generated by OpenCVE AI on June 25, 2026 at 12:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the patch commit 8d9a79fbf5172d9c4c0146057af2360913265a11.
  • Restart the system after the kernel update so the patched kernel is active.
  • Apply network segmentation or firewall rules to limit exposure to attacker‑crafted packet fragments while the patch is being deployed.

Generated by OpenCVE AI on June 25, 2026 at 12:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: xfrm: iptfs: fix use-after-free on first_skb in __input_process_payload __input_process_payload() stores first_skb into xtfs->ra_newskb under drop_lock when starting partial reassembly, then unlocks and breaks out of the processing loop. The post-loop check reads xtfs->ra_newskb without the lock to decide whether first_skb is still owned: if (first_skb && first_iplen && !defer && first_skb != xtfs->ra_newskb) Between spin_unlock and this read, a concurrent CPU running iptfs_reassem_cont() (or the drop_timer hrtimer) can complete reassembly, NULL xtfs->ra_newskb, and free the skb. The check then evaluates first_skb != NULL as true, and pskb_trim/ip_summed/consume_skb operate on the freed skb — a use-after-free in skbuff_head_cache. Replace the unlocked read with a local bool that records whether first_skb was handed to the reassembly state in the current call. The flag is set after the existing spin_unlock, before the break, using the pointer equality that is stable at that point (first_skb == skb iff first_skb was stored in ra_newskb).
Title xfrm: iptfs: fix use-after-free on first_skb in __input_process_payload
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:35.809Z

Reserved: 2026-06-09T07:44:35.393Z

Link: CVE-2026-53240

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T12:15:03Z

Weaknesses