Description
In the Linux kernel, the following vulnerability has been resolved:

l2tp: pppol2tp: hold reference to session in pppol2tp_ioctl()

pppol2tp_ioctl() read sock->sk->sk_user_data directly without any
locks or reference counting. If a controllable sleep was induced during
copy_from_user() (e.g. via a userfaultfd page fault sleep), a concurrent
socket close could trigger pppol2tp_session_close() asynchronously. This
frees the l2tp_session structure via the l2tp_session_del_work workqueue.
Upon resuming, the ioctl thread dereferences the stale session pointer,
resulting in a Use-After-Free (UAF).

Fix this by securely fetching the session reference using the RCU-safe,
refcounted helper pppol2tp_sock_to_session(sk) on entry. This locks the
session's refcount across the sleep. We structured the function to exit
via standard err breaks, guaranteeing that l2tp_session_put() is cleanly
called on all return paths to drop the reference.

To preserve existing behavior we validate the session and its magic
signature only for the specific L2TP commands that require it. This
ensures that generic/unknown ioctls called on an unconnected socket
still return -ENOIOCTLCMD and correctly fall back to generic handlers
(e.g. in sock_do_ioctl()).
Published: 2026-06-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when pppol reads a socket's session pointer without holding a reference, and during copy_from_user a controllable sleep can be induced. If the socket is closed concurrently, the session is freed, and when the ioctl resumes it dereferences the stale pointer. This use‑after‑free can corrupt kernel memory and may be leveraged by a local user with access to L2TP sockets to achieve privilege escalation. The weakness is a classic kernel memory corruption flaw.

Affected Systems

The affected product is the Linux kernel, where any build that includes the pppol2tp module using the vulnerable ioctl path is impacted. No specific version ranges are given in the data, so any kernel prior to the commit that introduces the reference‑counted helper pppol2tp_sock_to_session may be vulnerable.

Risk and Exploitability

No CVSS or EPSS score is available, and the vulnerability is not listed in KEV. The flaw is a kernel use‑after‑free, which normally represents a high‑severity local privilege escalation. A local attacker must be able to open a L2TP socket, invoke the ioctl, and induce a sleep (e.g., via userfaultfd). The attack vector is thus inferred to be local user context. Because of the absence of exploitation data, the exact likelihood of remote exploitation is unknown, but the potential impact is significant.

Generated by OpenCVE AI on June 25, 2026 at 11:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that contains the pppol2tp_ioctl use‑after‑free fix introduced by the reference‑counted helper
  • If a kernel upgrade is not immediately possible, disable L2TP or unload the PPPoL2TP module so that vulnerable sockets cannot be created
  • Monitor the system for anomalous Oops or crash logs related to PPPoL2TP and apply any patch or advisories as they become available

Generated by OpenCVE AI on June 25, 2026 at 11:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: l2tp: pppol2tp: hold reference to session in pppol2tp_ioctl() pppol2tp_ioctl() read sock->sk->sk_user_data directly without any locks or reference counting. If a controllable sleep was induced during copy_from_user() (e.g. via a userfaultfd page fault sleep), a concurrent socket close could trigger pppol2tp_session_close() asynchronously. This frees the l2tp_session structure via the l2tp_session_del_work workqueue. Upon resuming, the ioctl thread dereferences the stale session pointer, resulting in a Use-After-Free (UAF). Fix this by securely fetching the session reference using the RCU-safe, refcounted helper pppol2tp_sock_to_session(sk) on entry. This locks the session's refcount across the sleep. We structured the function to exit via standard err breaks, guaranteeing that l2tp_session_put() is cleanly called on all return paths to drop the reference. To preserve existing behavior we validate the session and its magic signature only for the specific L2TP commands that require it. This ensures that generic/unknown ioctls called on an unconnected socket still return -ENOIOCTLCMD and correctly fall back to generic handlers (e.g. in sock_do_ioctl()).
Title l2tp: pppol2tp: hold reference to session in pppol2tp_ioctl()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:50.550Z

Reserved: 2026-06-09T07:44:35.394Z

Link: CVE-2026-53262

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T12:00:13Z

Weaknesses