{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv6: anycast: insert aca into global hash under idev-\\u003elock\\n\\nsyzbot reported a splat [1]: a slab-use-after-free in\\nipv6_chk_acast_addr(), which walks the global inet6_acaddr_lst[] hash\\nunder RCU and dereferences a struct ifacaddr6 that has already been\\nfreed while still linked in the hash, so a later reader walks into a\\ndangling node.\\n\\nIn __ipv6_dev_ac_inc() the aca is allocated with refcount 1, then\\naca_get() bumps it to 2 to keep it alive across the unlocked region.\\nIt is published to idev-\\u003eac_list under idev-\\u003elock, but\\nipv6_add_acaddr_hash() runs after write_unlock_bh(). A concurrent\\nteardown (ipv6_ac_destroy_dev() from addrconf_ifdown(), under RTNL)\\ncan slip into that window:\\n\\n CPU0 __ipv6_dev_ac_inc CPU1 ipv6_ac_destroy_dev (RTNL)\\n —————————— ————————————\\n aca_alloc() refcnt 1\\n aca_get() refcnt 2\\n write_lock_bh(idev-\\u003elock)\\n add aca to ac_list\\n write_unlock_bh(idev-\\u003elock)\\n write_lock_bh(idev-\\u003elock)\\n pull aca off ac_list\\n write_unlock_bh(idev-\\u003elock)\\n ipv6_del_acaddr_hash(aca)\\n hlist_del_init_rcu() is a no-op,\\n aca is not in the hash yet\\n aca_put() refcnt 2-\\u003e1\\n ipv6_add_acaddr_hash(aca)\\n aca now inserted into the hash\\n aca_put() refcnt 1-\\u003e0\\n call_rcu(aca_free_rcu) -\\u003e kfree(aca)\\n\\nThe hash removal becomes a no-op because the insertion has not\\nhappened yet, so once CPU0 inserts and drops the last reference, the\\naca is freed while still linked in inet6_acaddr_lst[], and readers\\ndereference freed memory after the slab slot is reused.\\n\\nThis window opened once RTNL stopped serializing the join path against\\ndevice teardown. Move ipv6_add_acaddr_hash() inside the idev-\\u003elock\\nsection so the ac_list and hash insertions are atomic with respect to\\nteardown: a racing remover now either misses the aca entirely or finds\\nit in both lists.\\n\\nacaddr_hash_lock is now nested under idev-\\u003elock, which is acquired in\\nsoftirq context, so switch all acaddr_hash_lock sites to spin_lock_bh()\\nto avoid the irq lock inversion reported in [2].\\n\\n[1] https:\/\/syzkaller.appspot.com\/bug?extid=a01df04303c131efbf3a\\n[2] https:\/\/lore.kernel.org\/netdev\/6a194ef7.ba3b1513.1890b4.0000.GAE@google.com\/”,”published”:”2026-06-25T08:39:48.571Z”,”modified”:”2026-06-28T06:41:02.388Z”,”type”:”cve”,”title”:”ipv6: anycast: insert aca into global hash under idev-\\u003elock”,”source”:”Linux”,”references”:”https:\/\/git.kernel.org\/stable\/c\/15be7e9fdbff831fb3e89b83cc337a4f85ad3310\\nhttps:\/\/git.kernel.org\/stable\/c\/3a967c498baa976b11d4800dda224c507416e97c\\nhttps:\/\/git.kernel.org\/stable\/c\/f723ccaff2fb72b71ae8a9fd283f0dee4d9ae7a3″,”id”:”CVE-2026-53259″,”bulletinFamily”:””,”cwe”:null,”cvelist”:null,”sourceData”:”Linux Linux eb1ac9ff6c4a5720b1a1476233be374c5dc44bff\\nLinux Linux eb1ac9ff6c4a5720b1a1476233be374c5dc44bff\\nLinux Linux eb1ac9ff6c4a5720b1a1476233be374c5dc44bff\\nLinux Linux 6.17″,”sourceHref”:””,”cvss”:{“score”:7.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”Linux”,”version”:”eb1ac9ff6c4a5720b1a1476233be374c5dc44bff”,”vendor”:”Linux”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv6: anycast: insert aca into global hash under idev-\\u003elock\\n\\nsyzbot reported a splat [1]: a slab-use-after-free in\\nipv6_chk_acast_addr(),…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,28,12,15,13,7,11,5],"class_list":["post-66528","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-78","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n