net/sched: taprio: fix use-after-free in advance_sched() on schedule switch

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

net/sched: taprio: fix use-after-free in advance_sched() on schedule switch

In advance_sched(), when should_change_schedules() returns true,
switch_schedules() is called to promote the admin schedule to oper.
switch_schedules() queues the old oper schedule for RCU freeing via
call_rcu(), but 'next' still points into an entry of the old oper
schedule. The subsequent 'next->end_time = end_time' and
rcu_assign_pointer(q->current_entry, next) are use-after-free.

Fix this by selecting 'next' from the new oper schedule immediately
after switch_schedules(), and using its pre-calculated end_time.
setup_first_end_time() sets the first entry's end_time to
base_time + interval when the schedule is installed, so the value
is already correct.

The deleted 'end_time = sched_base_time(admin)' assignment was also
harmful independently: it would overwrite the new first entry's
pre-calculated end_time with just base_time.

Basic Information

ID CVE-2026-53011

Source Linux

Published Jun 24, 2026 at 16:29

Modified Jun 28, 2026 at 06:38

Affected Product

Vendor Linux

Product Linux

Version a3d43c0d56f1b94e74963a2fbadfb70126d92213

Affected Versions Linux Linux a3d43c0d56f1b94e74963a2fbadfb70126d92213
Linux Linux a3d43c0d56f1b94e74963a2fbadfb70126d92213
Linux Linux a3d43c0d56f1b94e74963a2fbadfb70126d92213
Linux Linux a3d43c0d56f1b94e74963a2fbadfb70126d92213
Linux Linux a3d43c0d56f1b94e74963a2fbadfb70126d92213
Linux Linux a3d43c0d56f1b94e74963a2fbadfb70126d92213
Linux Linux a3d43c0d56f1b94e74963a2fbadfb70126d92213
Linux Linux a3d43c0d56f1b94e74963a2fbadfb70126d92213
Linux Linux 5.2

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: fix use-after-free in advance_sched() on schedule switch\n\nIn advance_sched(), when should_change_schedules() returns true,\nswitch_schedules() is called to promote the admin schedule to oper.\nswitch_schedules() queues the old oper schedule for RCU freeing via\ncall_rcu(), but 'next' still points into an entry of the old oper\nschedule. The subsequent 'next->end_time = end_time' and\nrcu_assign_pointer(q->current_entry, next) are use-after-free.\n\nFix this by selecting 'next' from the new oper schedule immediately\nafter switch_schedules(), and using its pre-calculated end_time.\nsetup_first_end_time() sets the first entry's end_time to\nbase_time + interval when the schedule is installed, so the value\nis already correct.\n\nThe deleted 'end_time = sched_base_time(admin)' assignment was also\nharmful independently: it would overwrite the new first entry's\npre-calculated end_time with just base_time.",
    "published": "2026-06-24T16:29:22.082Z",
    "modified": "2026-06-28T06:38:02.986Z",
    "type": "cve",
    "title": "net/sched: taprio: fix use-after-free in advance_sched() on schedule switch",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/a8fc396519ef4f081bc545e88f61241728bb78d7\nhttps://git.kernel.org/stable/c/3471874578160a28c171a607fa069f24062634b8\nhttps://git.kernel.org/stable/c/7256996e1ef553716817f3bfd077c2f3b48b582f\nhttps://git.kernel.org/stable/c/eee072fe16c646190d33ae69c9983d8de1562bf8\nhttps://git.kernel.org/stable/c/1bd286fa3e21200133478ed523cc6a2788baf38a\nhttps://git.kernel.org/stable/c/b73235da5dde77ed1264f9767b62c28c9d71fd78\nhttps://git.kernel.org/stable/c/0e62171df8ed4804d00db088f17eed06468233fa\nhttps://git.kernel.org/stable/c/105425b1969c5affe532713cfac1c0b320d7ac2b",
    "id": "CVE-2026-53011",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux a3d43c0d56f1b94e74963a2fbadfb70126d92213\nLinux Linux a3d43c0d56f1b94e74963a2fbadfb70126d92213\nLinux Linux a3d43c0d56f1b94e74963a2fbadfb70126d92213\nLinux Linux a3d43c0d56f1b94e74963a2fbadfb70126d92213\nLinux Linux a3d43c0d56f1b94e74963a2fbadfb70126d92213\nLinux Linux a3d43c0d56f1b94e74963a2fbadfb70126d92213\nLinux Linux a3d43c0d56f1b94e74963a2fbadfb70126d92213\nLinux Linux a3d43c0d56f1b94e74963a2fbadfb70126d92213\nLinux Linux 5.2",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "a3d43c0d56f1b94e74963a2fbadfb70126d92213",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

net/sched: taprio: fix use-after-free in advance_sched() on schedule switch_CVE-2026-53011

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply