CVE 7.8 HIGH

net/sched: taprio: fix use-after-free in advance_sched() on schedule switch_CVE-2026-53011

7.8 / 10
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

net/sched: taprio: fix use-after-free in advance_sched() on schedule switch

In advance_sched(), when should_change_schedules() returns true,
switch_schedules() is called to promote the admin schedule to oper.
switch_schedules() queues the old oper schedule for RCU freeing via
call_rcu(), but 'next' still points into an entry of the old oper
schedule. The subsequent 'next->end_time = end_time' and
rcu_assign_pointer(q->current_entry, next) are use-after-free.

Fix this by selecting 'next' from the new oper schedule immediately
after switch_schedules(), and using its pre-calculated end_time.
setup_first_end_time() sets the first entry's end_time to
base_time + interval when the schedule is installed, so the value
is already correct.

The deleted 'end_time = sched_base_time(admin)' assignment was also
harmful independently: it would overwrite the new first entry's
pre-calculated end_time with just base_time.

Basic Information

ID CVE-2026-53011
Source Linux
Published Jun 24, 2026 at 16:29
Modified Jun 28, 2026 at 06:38

Affected Product

Vendor Linux
Product Linux
Version a3d43c0d56f1b94e74963a2fbadfb70126d92213
Affected Versions Linux Linux a3d43c0d56f1b94e74963a2fbadfb70126d92213
Linux Linux a3d43c0d56f1b94e74963a2fbadfb70126d92213
Linux Linux a3d43c0d56f1b94e74963a2fbadfb70126d92213
Linux Linux a3d43c0d56f1b94e74963a2fbadfb70126d92213
Linux Linux a3d43c0d56f1b94e74963a2fbadfb70126d92213
Linux Linux a3d43c0d56f1b94e74963a2fbadfb70126d92213
Linux Linux a3d43c0d56f1b94e74963a2fbadfb70126d92213
Linux Linux a3d43c0d56f1b94e74963a2fbadfb70126d92213
Linux Linux 5.2

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.