CVE-2026-53239 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved:

xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()

Fix the race by pruning the bin while still holding xfrm_policy_lock,
before dropping it. Use __xfrm_policy_inexact_prune_bin() directly since
the lock is already held. The wrapper xfrm_policy_inexact_prune_bin()
becomes unused and is removed.

Race:

CPU0 (XFRM_MSG_DELPOLICY) CPU1 (XFRM_MSG_NEWSPDINFO)
========================== ==========================
xfrm_policy_bysel_ctx():
spin_lock_bh(xfrm_policy_lock)
bin = xfrm_policy_inexact_lookup()
__xfrm_policy_unlink(pol)
spin_unlock_bh(xfrm_policy_lock)
xfrm_policy_kill(ret)
// wide window, lock not held
xfrm_hash_rebuild():
spin_lock_bh(xfrm_policy_lock)
__xfrm_policy_inexact_flush():
kfree_rcu(bin) // bin freed
spin_unlock_bh(xfrm_policy_lock)
xfrm_policy_inexact_prune_bin(bin)
// UAF: bin is freed

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00184.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`6be3b0db6db82cf056a72cc18042048edd27f8ee`	affected	< 8fc536e9f6856230f19c7d13e71af064b6a77b22
`6be3b0db6db82cf056a72cc18042048edd27f8ee`	affected	< c4c1ea36d83bf3c4569468ca5b8b614fda1bf821
`6be3b0db6db82cf056a72cc18042048edd27f8ee`	affected	< 25c8c7fb3b0b9668c7d05e209f58c158d2b020c7
`6be3b0db6db82cf056a72cc18042048edd27f8ee`	affected	< 42827d03f8009a6a218bacab153e21f39d6a121c
`6be3b0db6db82cf056a72cc18042048edd27f8ee`	affected	< 88697cf980222d5906a37bf47662dac0732e2a0f
`6be3b0db6db82cf056a72cc18042048edd27f8ee`	affected	< b5316e2b8614a87d8736941972441cb47bfd4491
`6be3b0db6db82cf056a72cc18042048edd27f8ee`	affected	< ec82ea4eb220164d854f8734ca5a35e23e577b94
`6be3b0db6db82cf056a72cc18042048edd27f8ee`	affected	< 7f2d76c9c03257c0782afef9d95321fa04096f60

Linux

affected

Version	Status	Constraints
`5.0`	affected	—
`0`	unaffected	< 5.0
`5.10.259`	unaffected	≤ 5.10.*
`5.15.210`	unaffected	≤ 5.15.*
`6.1.176`	unaffected	≤ 6.1.*
`6.6.143`	unaffected	≤ 6.6.*
`6.12.94`	unaffected	≤ 6.12.*
`6.18.36`	unaffected	≤ 6.18.*
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Linux Subscribe	Linux Kernel Subscribe

Project Subscriptions

Vendors	Products
Linux Subscribe	Linux Kernel Subscribe

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://git.kernel.org/stable/c/25c8c7fb3b0b9668c7d05e209f58c158d2b020c7
https://git.kernel.org/stable/c/42827d03f8009a6a218bacab153e21f39d6a121c
https://git.kernel.org/stable/c/7f2d76c9c03257c0782afef9d95321fa04096f60
https://git.kernel.org/stable/c/88697cf980222d5906a37bf47662dac0732e2a0f
https://git.kernel.org/stable/c/8fc536e9f6856230f19c7d13e71af064b6a77b22
https://git.kernel.org/stable/c/b5316e2b8614a87d8736941972441cb47bfd4491
https://git.kernel.org/stable/c/c4c1ea36d83bf3c4569468ca5b8b614fda1bf821
https://git.kernel.org/stable/c/ec82ea4eb220164d854f8734ca5a35e23e577b94

History

Thu, 25 Jun 2026 11:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx() Fix the race by pruning the bin while still holding xfrm_policy_lock, before dropping it. Use __xfrm_policy_inexact_prune_bin() directly since the lock is already held. The wrapper xfrm_policy_inexact_prune_bin() becomes unused and is removed. Race: CPU0 (XFRM_MSG_DELPOLICY) CPU1 (XFRM_MSG_NEWSPDINFO) ========================== ========================== xfrm_policy_bysel_ctx(): spin_lock_bh(xfrm_policy_lock) bin = xfrm_policy_inexact_lookup() __xfrm_policy_unlink(pol) spin_unlock_bh(xfrm_policy_lock) xfrm_policy_kill(ret) // wide window, lock not held xfrm_hash_rebuild(): spin_lock_bh(xfrm_policy_lock) __xfrm_policy_inexact_flush(): kfree_rcu(bin) // bin freed spin_unlock_bh(xfrm_policy_lock) xfrm_policy_inexact_prune_bin(bin) // UAF: bin is freed
Title		xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/25c8c7fb3b0b9668c7d05e209f58c158d2b020c7 https://git.kernel.org/stable/c/42827d03f8009a6a218bacab153e21f39d6a121c https://git.kernel.org/stable/c/7f2d76c9c03257c0782afef9d95321fa04096f60 https://git.kernel.org/stable/c/88697cf980222d5906a37bf47662dac0732e2a0f https://git.kernel.org/stable/c/8fc536e9f6856230f19c7d13e71af064b6a77b22 https://git.kernel.org/stable/c/b5316e2b8614a87d8736941972441cb47bfd4491 https://git.kernel.org/stable/c/c4c1ea36d83bf3c4569468ca5b8b614fda1bf821 https://git.kernel.org/stable/c/ec82ea4eb220164d854f8734ca5a35e23e577b94

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:39:35.149Z

Updated: 2026-06-25T08:39:35.149Z

Reserved: 2026-06-09T07:44:35.393Z

Link: CVE-2026-53239

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T18:30:14Z

Weaknesses

CWE-416

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object