CVE-2026-53264 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

net/sched: act_api: use RCU with deferred freeing for action lifecycle

When NEWTFILTER and DELFILTER are run concurrently it is possible to create a
race with an associated action.

Let's illustrate with CPU0 running NEWTFILTER and CPU1 running DELFILTER:

0: mutex_lock() <-- holds the idr lock
0: rcu_read_lock()
0: p = idr_find(idr, index) <-- action p is valid (RCU protects IDR)
0: mutex_unlock() <-- releases the idr lock
1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held
1: idr_remove(idr, index) <-- Action removed from IDR
1: mutex_unlock() <-- mutex released allowing us to delete the action
1: tcf_action_cleanup(p); kfree(p) <-- Kfrees p immediately, no deferral
0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- ouch, UAF p points to freed memory

This patch fixes the race condition between NEWTFILTER and DELFILTER by
adding struct rcu_head to tc_action used in the deferral and introducing a
call_rcu() in the delete path to defer the final kfree().

Note: this is a revert of commit d7fb60b9cafb ("net_sched: get rid of tcfa_rcu")
but also modernization/simplification to directly use kfree_rcu().

Let's illustrate the new restored code path:

0: rcu_read_lock()
1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held
1: idr_remove(idr, index)
1: mutex_unlock()
1: call_rcu(&p->tcfa_rcu, tcf_action_rcu_free) <-- defer kfree after grace period
0: p = idr_find(idr, index)
0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- fails, refcnt already 0
1: rcu_read_unlock() <-- release so freeing can run after grace period

After CPU1 calls idr_remove(), the object is no longer reachable through the IDR.
CPU0's subsequent idr_find() will return NULL, and even if it still held a
stale pointer, the immediate kfree() is now deferred until after the RCU grace
period, so no UAF can occur.

Published: 2026-06-25

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A race condition arises when the Linux kernel concurrently processes NEWTFILTER and DELFILTER operations in the traffic‑control (tc) subsystem. While an action structure is held under a mutex, another CPU may decrement its reference count and remove it from the IDR, immediately freeing the structure. The first CPU then attempts to increment the reference count on the already freed pointer, resulting in a use‑after‑free. The patch introduces an RCU‑based deferred free to eliminate the race. This flaw is a classic use‑after‑free (CWE‑416) that can lead to kernel memory corruption.

Affected Systems

The vulnerability affects all Linux kernel versions that include the traffic‑control scheduling subsystem and have not yet applied the RCU‑deferral commit. It is not tied to a specific vendor edition; any kernel build that supports tc filters is potentially affected when the patch is absent.

Risk and Exploitability

No CVSS score or EPSS value is published, and the vulnerability is not listed in CISA’s KEV catalog, so public exploitation activity is unknown. The description indicates that a user with the ability to add or remove tc filters can trigger the race, so it is inferred that a local or privileged attacker can exploit the flaw. The potential for local privilege escalation or kernel compromise gives the risk a moderate to high weight for systems where traffic‑control configuration is available.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da`	affected	< 98b2e40879abf0245be5a5b7af69e0f6ff524ac3
`d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da`	affected	< 18af5d2ef0c4f65787fd1280c8b23286b9f2a835
`d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da`	affected	< 1f1b98fea6b9ea30507d0f2fbff6750292d097e2
`d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da`	affected	< 8b136f18ac4b2ace5aaad3305b3f8a5d8165a009
`d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da`	affected	< 5dd51e09020c65aa53cf128e5e3517cd53b3c113
`d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da`	affected	< b60e9391142e983fab2be53497aa8f71fdd09cd5
`d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da`	affected	< 91d105d2cbe002f9c7b43a6183adedc37e1da1f7
`d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da`	affected	< 5057e1aca011e51ef51498c940ef96f3d3e8a305

Linux

affected

Version	Status	Constraints
`4.14`	affected	—
`0`	unaffected	< 4.14
`5.10.259`	unaffected	≤ 5.10.*
`5.15.210`	unaffected	≤ 5.15.*
`6.1.176`	unaffected	≤ 6.1.*
`6.6.143`	unaffected	≤ 6.6.*
`6.12.94`	unaffected	≤ 6.12.*
`6.18.36`	unaffected	≤ 6.18.*
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel update that includes the commit adding RCU deferral for tc_action freeing
Reboot or reload the kernel to activate the new code
If traffic‑control features are not required, disable scheduling filters to eliminate the attack surface

Generated by OpenCVE AI on June 25, 2026 at 12:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00172.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/18af5d2ef0c4f65787fd1280c8b23286b9f2a835
https://git.kernel.org/stable/c/1f1b98fea6b9ea30507d0f2fbff6750292d097e2
https://git.kernel.org/stable/c/5057e1aca011e51ef51498c940ef96f3d3e8a305
https://git.kernel.org/stable/c/5dd51e09020c65aa53cf128e5e3517cd53b3c113
https://git.kernel.org/stable/c/8b136f18ac4b2ace5aaad3305b3f8a5d8165a009
https://git.kernel.org/stable/c/91d105d2cbe002f9c7b43a6183adedc37e1da1f7
https://git.kernel.org/stable/c/98b2e40879abf0245be5a5b7af69e0f6ff524ac3
https://git.kernel.org/stable/c/b60e9391142e983fab2be53497aa8f71fdd09cd5

History

Thu, 25 Jun 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net/sched: act_api: use RCU with deferred freeing for action lifecycle When NEWTFILTER and DELFILTER are run concurrently it is possible to create a race with an associated action. Let's illustrate with CPU0 running NEWTFILTER and CPU1 running DELFILTER: 0: mutex_lock() <-- holds the idr lock 0: rcu_read_lock() 0: p = idr_find(idr, index) <-- action p is valid (RCU protects IDR) 0: mutex_unlock() <-- releases the idr lock 1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held 1: idr_remove(idr, index) <-- Action removed from IDR 1: mutex_unlock() <-- mutex released allowing us to delete the action 1: tcf_action_cleanup(p); kfree(p) <-- Kfrees p immediately, no deferral 0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- ouch, UAF p points to freed memory This patch fixes the race condition between NEWTFILTER and DELFILTER by adding struct rcu_head to tc_action used in the deferral and introducing a call_rcu() in the delete path to defer the final kfree(). Note: this is a revert of commit d7fb60b9cafb ("net_sched: get rid of tcfa_rcu") but also modernization/simplification to directly use kfree_rcu(). Let's illustrate the new restored code path: 0: rcu_read_lock() 1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held 1: idr_remove(idr, index) 1: mutex_unlock() 1: call_rcu(&p->tcfa_rcu, tcf_action_rcu_free) <-- defer kfree after grace period 0: p = idr_find(idr, index) 0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- fails, refcnt already 0 1: rcu_read_unlock() <-- release so freeing can run after grace period After CPU1 calls idr_remove(), the object is no longer reachable through the IDR. CPU0's subsequent idr_find() will return NULL, and even if it still held a stale pointer, the immediate kfree() is now deferred until after the RCU grace period, so no UAF can occur.
Title		net/sched: act_api: use RCU with deferred freeing for action lifecycle
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/18af5d2ef0c4f65787fd1280c8b23286b9f2a835 https://git.kernel.org/stable/c/1f1b98fea6b9ea30507d0f2fbff6750292d097e2 https://git.kernel.org/stable/c/5057e1aca011e51ef51498c940ef96f3d3e8a305 https://git.kernel.org/stable/c/5dd51e09020c65aa53cf128e5e3517cd53b3c113 https://git.kernel.org/stable/c/8b136f18ac4b2ace5aaad3305b3f8a5d8165a009 https://git.kernel.org/stable/c/91d105d2cbe002f9c7b43a6183adedc37e1da1f7 https://git.kernel.org/stable/c/98b2e40879abf0245be5a5b7af69e0f6ff524ac3 https://git.kernel.org/stable/c/b60e9391142e983fab2be53497aa8f71fdd09cd5

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:39:51.870Z

Updated: 2026-06-25T08:39:51.870Z

Reserved: 2026-06-09T07:44:35.395Z

Link: CVE-2026-53264

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T12:15:03Z

Weaknesses

CWE-416
Use After Free

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object