9.8
/ 10
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Description
In the Linux kernel, the following vulnerability has been resolved:
inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush
On netns teardown, fqdir_pre_exit() walks the fqdir rhashtable and
flushes every fragment queue that is not yet complete using
inet_frag_queue_flush(). That helper frees all the skbs queued on the
fragment queue but does not set INET_FRAG_COMPLETE, and leaves
q->fragments_tail and q->last_run_head pointing at the freed skbs.
The queue itself stays in the rhashtable.
fqdir_pre_exit() first lowers high_thresh to 0 to stop new queue lookups,
but it cannot stop a fragment that already obtained the queue through
inet_frag_find() earlier and stalled just before taking the queue lock.
Once that fragment resumes after the flush and takes the queue lock,
it passes the INET_FRAG_COMPLETE check and then dereferences the freed
fragments_tail. inet_frag_queue_insert() reads FRAG_CB() and ->len of
that pointer and, on the append path, writes ->next_frag, causing a
slab use-after-free. IPv6, nf_conntrack_reasm6 and 6lowpan reassembly
share the same flush path and are affected as well.
Reset rb_fragments, fragments_tail and last_run_head in
inet_frag_queue_flush() so a flushed queue no longer points at the
freed skbs. A fragment that resumes after the flush and takes the
queue lock then finds an empty queue and starts a new run instead of
dereferencing the freed fragments_tail. ip_frag_reinit() already
performed this reset after its own flush, so drop the now duplicate
code there.
inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush
On netns teardown, fqdir_pre_exit() walks the fqdir rhashtable and
flushes every fragment queue that is not yet complete using
inet_frag_queue_flush(). That helper frees all the skbs queued on the
fragment queue but does not set INET_FRAG_COMPLETE, and leaves
q->fragments_tail and q->last_run_head pointing at the freed skbs.
The queue itself stays in the rhashtable.
fqdir_pre_exit() first lowers high_thresh to 0 to stop new queue lookups,
but it cannot stop a fragment that already obtained the queue through
inet_frag_find() earlier and stalled just before taking the queue lock.
Once that fragment resumes after the flush and takes the queue lock,
it passes the INET_FRAG_COMPLETE check and then dereferences the freed
fragments_tail. inet_frag_queue_insert() reads FRAG_CB() and ->len of
that pointer and, on the append path, writes ->next_frag, causing a
slab use-after-free. IPv6, nf_conntrack_reasm6 and 6lowpan reassembly
share the same flush path and are affected as well.
Reset rb_fragments, fragments_tail and last_run_head in
inet_frag_queue_flush() so a flushed queue no longer points at the
freed skbs. A fragment that resumes after the flush and takes the
queue lock then finds an empty queue and starts a new run instead of
dereferencing the freed fragments_tail. ip_frag_reinit() already
performed this reset after its own flush, so drop the now duplicate
code there.
AI Analysis
Use-after-free vulnerability in the Linux kernel due to incorrect handling of fragment queues during netns teardown, potentially leading to slab use-after-free and other security issues.
Basic Information
ID
CVE-2026-53175
Source
Linux
Published
Jun 25, 2026 at 08:38
Modified
Jun 28, 2026 at 06:39
Affected Product
Vendor
Linux
Product
Linux
Version
22ee4010866da81aeee08e1ea3fddbe418feb212
Affected Versions
Linux Linux 22ee4010866da81aeee08e1ea3fddbe418feb212
Linux Linux 543555954b1ee8d1903a7020324efb41b0c97428
Linux Linux c70df25214ac9b32b53e18e6ae3b8f073ffa6903
Linux Linux 006a5035b495dec008805df249f92c22c89c3d2e
Linux Linux 006a5035b495dec008805df249f92c22c89c3d2e
Linux Linux 6.12.93
Linux Linux 6.18.3
Linux Linux 6.19
Linux Linux 543555954b1ee8d1903a7020324efb41b0c97428
Linux Linux c70df25214ac9b32b53e18e6ae3b8f073ffa6903
Linux Linux 006a5035b495dec008805df249f92c22c89c3d2e
Linux Linux 006a5035b495dec008805df249f92c22c89c3d2e
Linux Linux 6.12.93
Linux Linux 6.18.3
Linux Linux 6.19
AI Assessment
AI Score
9.8 / 10
AI Severity
CRITICAL
Vendor
Linux
Product
Linux Kernel
Version
6.12.93, 6.18.3, 6.19
References
- git.kernel.org /stable/c/0e823ca0e7391630784ae7dd0981b7ad170a93d9
- git.kernel.org /stable/c/c22599cc90e1cd5f8129c8670bd68a02ff7177b4
- git.kernel.org /stable/c/89b909e9704587bfecc1aab1d37e98faee03b9f9
- git.kernel.org /stable/c/010c3313a4d178dc2d3ce958d2e5cb055e2864c1
- git.kernel.org /stable/c/32594b09854970d7ba83eb2dc8c69a2edd158c8e