Description
In the Linux kernel, the following vulnerability has been resolved:

ipvs: clear the svc scheduler ptr early on edit

ip_vs_edit_service() while unbinding the old scheduler clears
the svc->scheduler ptr after the scheduler module initiates
RCU callbacks. This can cause packets to use the old
scheduler at the time when svc->sched_data is already freed
after RCU grace period.

Fix it by clearing the ptr early in ip_vs_unbind_scheduler(),
before the done_service method schedules any RCU callbacks.

Also, if the new scheduler fails to initialize when replacing
the old scheduler, try to restore the old scheduler while still
returning the error code.
Published: 2026-06-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel contains a flaw in the IPVS load‑balanced service module. When a service’s scheduler is unbound, the svc->scheduler pointer is cleared only after RCU callbacks are scheduled. This timing gap can cause the scheduler structure to be freed while packets are still being processed, leading to a use‑after‑free bug (CWE‑416). The resulting kernel memory corruption can trigger a crash or, if an attacker can control the freed memory, allow arbitrary code execution in kernel context.

Affected Systems

All Linux kernel versions that include the IPVS module and run the unpatched ip_vs_edit_service() path are potentially affected. The CVE does not specify affected kernel releases, so systems running a Linux kernel with IPVS enabled are at risk.

Risk and Exploitability

The CVSS score is not publicly available and EPSS is missing. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires network access to a host running the vulnerable IPVS service. The lack of a low exploitation probability score combined with the severity of kernel memory corruption warrants a high‑risk assessment. An attacker could cause denial of service or elevate privileges on the host.

Generated by OpenCVE AI on June 25, 2026 at 13:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest kernel patch that clears the scheduler pointer early during ip_vs_unbind_scheduler(); this is the official vendor fix and mitigates the use‑after‑free (CWE‑416).
  • Rebuild your kernel from the updated source or install a distribution kernel that includes the fix.
  • If patching cannot be performed immediately, stop or disable the IPVS load‑balanced service until the kernel is updated.

Generated by OpenCVE AI on June 25, 2026 at 13:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ipvs: clear the svc scheduler ptr early on edit ip_vs_edit_service() while unbinding the old scheduler clears the svc->scheduler ptr after the scheduler module initiates RCU callbacks. This can cause packets to use the old scheduler at the time when svc->sched_data is already freed after RCU grace period. Fix it by clearing the ptr early in ip_vs_unbind_scheduler(), before the done_service method schedules any RCU callbacks. Also, if the new scheduler fails to initialize when replacing the old scheduler, try to restore the old scheduler while still returning the error code.
Title ipvs: clear the svc scheduler ptr early on edit
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:55.830Z

Reserved: 2026-06-09T07:44:35.395Z

Link: CVE-2026-53270

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T13:15:03Z

Weaknesses