Description
In the Linux kernel, the following vulnerability has been resolved:

l2tp: pppol2tp: hold reference to session in pppol2tp_ioctl()

pppol2tp_ioctl() read sock->sk->sk_user_data directly without any
locks or reference counting. If a controllable sleep was induced during
copy_from_user() (e.g. via a userfaultfd page fault sleep), a concurrent
socket close could trigger pppol2tp_session_close() asynchronously. This
frees the l2tp_session structure via the l2tp_session_del_work workqueue.
Upon resuming, the ioctl thread dereferences the stale session pointer,
resulting in a Use-After-Free (UAF).

Fix this by securely fetching the session reference using the RCU-safe,
refcounted helper pppol2tp_sock_to_session(sk) on entry. This locks the
session's refcount across the sleep. We structured the function to exit
via standard err breaks, guaranteeing that l2tp_session_put() is cleanly
called on all return paths to drop the reference.

To preserve existing behavior we validate the session and its magic
signature only for the specific L2TP commands that require it. This
ensures that generic/unknown ioctls called on an unconnected socket
still return -ENOIOCTLCMD and correctly fall back to generic handlers
(e.g. in sock_do_ioctl()).
Published: 2026-06-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises in pppol2tp_ioctl() where the session pointer is read from a socket’s sk_user_data without acquiring a reference or locking the structure (CWE‑911: Use‑After‑Free). If an attacker can induce a controllable sleep during a copy_from_user call—such as via a userfaultfd page fault—while another thread closes the socket, the session can be freed asynchronously through a workqueue. When the ioctl resumes, it dereferences the stale pointer, causing a use‑after‑free that corrupts kernel memory and can be leveraged by a local attacker to execute arbitrary code with elevated privileges.

Affected Systems

All Linux kernel builds that ship with the pppol2tp module and have not incorporated the reference‑counted pppol2tp_sock_to_session helper are affected. The vulnerability applies broadly to any kernel prior to the fix commit; all earlier versions contain the unprotected ioctl path and are vulnerable.

Risk and Exploitability

The EPSS score is reported as < 1 %, indicating a very low probability of real‑world exploitation, and the flaw is not listed in the CISA KEV catalog. The CVSS score is 7.8, confirming a high severity level. Because the flaw allows kernel memory corruption via a race condition that can be triggered by local users, the overall risk is therefore classified as high severity for local attackers who can use the race condition to gain elevated privileges.

Generated by OpenCVE AI on June 28, 2026 at 14:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that contains the pppol2tp_ioctl use‑after‑free fix, which introduces the refcounted pppol2tp_sock_to_session helper
  • If an immediate kernel upgrade is not possible, disable the L2TP services or unload the pppol2tp module to prevent creation of vulnerable sockets
  • Monitor system logs for kernel oops, panic events, or abnormal behavior involving PPPoL2TP and apply security updates promptly as they become available

Generated by OpenCVE AI on June 28, 2026 at 14:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Fri, 26 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 26 Jun 2026 12:15:00 +0000


Thu, 25 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: l2tp: pppol2tp: hold reference to session in pppol2tp_ioctl() pppol2tp_ioctl() read sock->sk->sk_user_data directly without any locks or reference counting. If a controllable sleep was induced during copy_from_user() (e.g. via a userfaultfd page fault sleep), a concurrent socket close could trigger pppol2tp_session_close() asynchronously. This frees the l2tp_session structure via the l2tp_session_del_work workqueue. Upon resuming, the ioctl thread dereferences the stale session pointer, resulting in a Use-After-Free (UAF). Fix this by securely fetching the session reference using the RCU-safe, refcounted helper pppol2tp_sock_to_session(sk) on entry. This locks the session's refcount across the sleep. We structured the function to exit via standard err breaks, guaranteeing that l2tp_session_put() is cleanly called on all return paths to drop the reference. To preserve existing behavior we validate the session and its magic signature only for the specific L2TP commands that require it. This ensures that generic/unknown ioctls called on an unconnected socket still return -ENOIOCTLCMD and correctly fall back to generic handlers (e.g. in sock_do_ioctl()).
Title l2tp: pppol2tp: hold reference to session in pppol2tp_ioctl()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:41:05.245Z

Reserved: 2026-06-09T07:44:35.394Z

Link: CVE-2026-53262

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53262 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:15:08Z

Weaknesses
  • CWE-911

    Improper Update of Reference Count