CVE-2026-53239 is a vulnerability in Linux Kernel
Published on June 25, 2026
xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()
In the Linux kernel, the following vulnerability has been resolved:
xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()
Fix the race by pruning the bin while still holding xfrm_policy_lock,
before dropping it. Use __xfrm_policy_inexact_prune_bin() directly since
the lock is already held. The wrapper xfrm_policy_inexact_prune_bin()
becomes unused and is removed.
Race:
CPU0 (XFRM_MSG_DELPOLICY) CPU1 (XFRM_MSG_NEWSPDINFO)
========================== ==========================
xfrm_policy_bysel_ctx():
spin_lock_bh(xfrm_policy_lock)
bin = xfrm_policy_inexact_lookup()
__xfrm_policy_unlink(pol)
spin_unlock_bh(xfrm_policy_lock)
xfrm_policy_kill(ret)
// wide window, lock not held
xfrm_hash_rebuild():
spin_lock_bh(xfrm_policy_lock)
__xfrm_policy_inexact_flush():
kfree_rcu(bin) // bin freed
spin_unlock_bh(xfrm_policy_lock)
xfrm_policy_inexact_prune_bin(bin)
// UAF: bin is freed
Products Associated with CVE-2026-53239
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version 6be3b0db6db82cf056a72cc18042048edd27f8ee and below 8fc536e9f6856230f19c7d13e71af064b6a77b22 is affected.
- Version 6be3b0db6db82cf056a72cc18042048edd27f8ee and below c4c1ea36d83bf3c4569468ca5b8b614fda1bf821 is affected.
- Version 6be3b0db6db82cf056a72cc18042048edd27f8ee and below 25c8c7fb3b0b9668c7d05e209f58c158d2b020c7 is affected.
- Version 6be3b0db6db82cf056a72cc18042048edd27f8ee and below 42827d03f8009a6a218bacab153e21f39d6a121c is affected.
- Version 6be3b0db6db82cf056a72cc18042048edd27f8ee and below 88697cf980222d5906a37bf47662dac0732e2a0f is affected.
- Version 6be3b0db6db82cf056a72cc18042048edd27f8ee and below b5316e2b8614a87d8736941972441cb47bfd4491 is affected.
- Version 6be3b0db6db82cf056a72cc18042048edd27f8ee and below ec82ea4eb220164d854f8734ca5a35e23e577b94 is affected.
- Version 6be3b0db6db82cf056a72cc18042048edd27f8ee and below 7f2d76c9c03257c0782afef9d95321fa04096f60 is affected.
- Version 5.0 is affected.
- Before 5.0 is unaffected.
- Version 5.10.259, <= 5.10.* is unaffected.
- Version 5.15.210, <= 5.15.* is unaffected.
- Version 6.1.176, <= 6.1.* is unaffected.
- Version 6.6.143, <= 6.6.* is unaffected.
- Version 6.12.94, <= 6.12.* is unaffected.
- Version 6.18.36, <= 6.18.* is unaffected.
- Version 7.0.13, <= 7.0.* is unaffected.
- Version 7.1, <= * is unaffected.