CVE-2026-53269 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: synproxy: add mutex to guard hook reference counting

As the synproxy infrastructure register netfilter hooks on-demand when a
user adds the first iptables target or nftables expression, if done
concurrently they can race each other.

Introduce a mutex to serialize the refcount control blocks access from
both frontends. While a per namespace mutex might be more efficient, it
is not needed for target/expression like SYNPROXY.

Published: 2026-06-25

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability was caused by a race condition in the Linux kernel's netfilter SYNPROXY hook registration path, where concurrent addition of iptables targets or nftables expressions could corrupt reference counts. The flaw, a classic race condition (CWE-362), risks undefined behaviour that can manifest as a kernel panic or a denial‑of‑service if an attacker can trigger concurrent hook registration. The upstream fix introduces a mutex to serialize access to the refcount control blocks, preventing the corrupted state and restoring stability.

Affected Systems

All Linux kernel releases that lack the mutex patch are vulnerable. This includes every distribution kernel version up to and including the most recent release before the commit that adds the synchronization. The fix is applied at the kernel level, so any system running a non‑patched kernel where SYNPROXY hooks are used is impacted.

Risk and Exploitability

No CVSS or EPSS values are provided, and the vulnerability is not listed in the CISA KEV catalog, indicating that no widespread exploitation has been documented. However, because the weakness involves kernel reference counting, it likely requires privileged local code execution or a scenario where kernel memory corruption can be triggered remotely through malformed packet handling. The risk is therefore moderate to high for environments that enable concurrent SYNPROXY configuration; the primary exploitation vector is concurrent hook registration by a privileged user or attacker who can manipulate firewall rule sets.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`ad49d86e07a497e834cb06f2b151dccd75f8e148`	affected	< 0ec9ddc1bda261a2c57636c74c8b4e53000102c9
`ad49d86e07a497e834cb06f2b151dccd75f8e148`	affected	< 56ffbe3a08c01dcdb0d6adee9ce1e535bfb3b389
`ad49d86e07a497e834cb06f2b151dccd75f8e148`	affected	< debc57b83d5b323df74bf010c8d50fe26ad2ed6b
`ad49d86e07a497e834cb06f2b151dccd75f8e148`	affected	< 0f8ba5e4c53d2e4a536aa68140beda9fe59b2f88
`ad49d86e07a497e834cb06f2b151dccd75f8e148`	affected	< 640441348258220e78daed40528b85b8afcedab6
`ad49d86e07a497e834cb06f2b151dccd75f8e148`	affected	< aaf80701dc2f7a48fe543961e21f8ca3924d587c
`ad49d86e07a497e834cb06f2b151dccd75f8e148`	affected	< fbf0591275f50eae5733c3d7a8cd6c1e79933ffa
`ad49d86e07a497e834cb06f2b151dccd75f8e148`	affected	< 2fcba19caaeb2a33017459d3430f057967bb91b6

Linux

affected

Version	Status	Constraints
`5.3`	affected	—
`0`	unaffected	< 5.3
`5.10.259`	unaffected	≤ 5.10.*
`5.15.210`	unaffected	≤ 5.15.*
`6.1.176`	unaffected	≤ 6.1.*
`6.6.143`	unaffected	≤ 6.6.*
`6.12.94`	unaffected	≤ 6.12.*
`6.18.36`	unaffected	≤ 6.18.*
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a Linux kernel version that includes the mutex patch for SYNPROXY hook registration.
If an immediate kernel update is not possible, serialize the addition of SYNPROXY rules to prevent concurrent hook registration by batching nftables/iptables commands or disabling parallel configuration scripts.
Continuously monitor system logs for kernel panics or OOPS messages related to netfilter SYNPROXY, and apply additional hardening such as disabling SYNPROXY if not required.

Generated by OpenCVE AI on June 25, 2026 at 11:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00172.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0ec9ddc1bda261a2c57636c74c8b4e53000102c9
https://git.kernel.org/stable/c/0f8ba5e4c53d2e4a536aa68140beda9fe59b2f88
https://git.kernel.org/stable/c/2fcba19caaeb2a33017459d3430f057967bb91b6
https://git.kernel.org/stable/c/56ffbe3a08c01dcdb0d6adee9ce1e535bfb3b389
https://git.kernel.org/stable/c/640441348258220e78daed40528b85b8afcedab6
https://git.kernel.org/stable/c/aaf80701dc2f7a48fe543961e21f8ca3924d587c
https://git.kernel.org/stable/c/debc57b83d5b323df74bf010c8d50fe26ad2ed6b
https://git.kernel.org/stable/c/fbf0591275f50eae5733c3d7a8cd6c1e79933ffa

History

Thu, 25 Jun 2026 12:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: netfilter: synproxy: add mutex to guard hook reference counting As the synproxy infrastructure register netfilter hooks on-demand when a user adds the first iptables target or nftables expression, if done concurrently they can race each other. Introduce a mutex to serialize the refcount control blocks access from both frontends. While a per namespace mutex might be more efficient, it is not needed for target/expression like SYNPROXY.
Title		netfilter: synproxy: add mutex to guard hook reference counting
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0ec9ddc1bda261a2c57636c74c8b4e53000102c9 https://git.kernel.org/stable/c/0f8ba5e4c53d2e4a536aa68140beda9fe59b2f88 https://git.kernel.org/stable/c/2fcba19caaeb2a33017459d3430f057967bb91b6 https://git.kernel.org/stable/c/56ffbe3a08c01dcdb0d6adee9ce1e535bfb3b389 https://git.kernel.org/stable/c/640441348258220e78daed40528b85b8afcedab6 https://git.kernel.org/stable/c/aaf80701dc2f7a48fe543961e21f8ca3924d587c https://git.kernel.org/stable/c/debc57b83d5b323df74bf010c8d50fe26ad2ed6b https://git.kernel.org/stable/c/fbf0591275f50eae5733c3d7a8cd6c1e79933ffa

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:39:55.172Z

Updated: 2026-06-25T08:39:55.172Z

Reserved: 2026-06-09T07:44:35.395Z

Link: CVE-2026-53269

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T11:45:03Z

Weaknesses

CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object