CVE-2026-53264— net/sched: act_api: use RCU with deferred freeing for action lifecycle
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-53264
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
net/sched: act_api: use RCU with deferred freeing for action lifecycle
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: act_api: use RCU with deferred freeing for action lifecycle When NEWTFILTER and DELFILTER are run concurrently it is possible to create a race with an associated action. Let's illustrate with CPU0 running NEWTFILTER and CPU1 running DELFILTER: 0: mutex_lock() <-- holds the idr lock 0: rcu_read_lock() 0: p = idr_find(idr, index) <-- action p is valid (RCU protects IDR) 0: mutex_unlock() <-- releases the idr lock 1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held 1: idr_remove(idr, index) <-- Action removed from IDR 1: mutex_unlock() <-- mutex released allowing us to delete the action 1: tcf_action_cleanup(p); kfree(p) <-- Kfrees p immediately, no deferral 0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- ouch, UAF p points to freed memory This patch fixes the race condition between NEWTFILTER and DELFILTER by adding struct rcu_head to tc_action used in the deferral and introducing a call_rcu() in the delete path to defer the final kfree(). Note: this is a revert of commit d7fb60b9cafb ("net_sched: get rid of tcfa_rcu") but also modernization/simplification to directly use kfree_rcu(). Let's illustrate the new restored code path: 0: rcu_read_lock() 1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held 1: idr_remove(idr, index) 1: mutex_unlock() 1: call_rcu(&p->tcfa_rcu, tcf_action_rcu_free) <-- defer kfree after grace period 0: p = idr_find(idr, index) 0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- fails, refcnt already 0 1: rcu_read_unlock() <-- release so freeing can run after grace period After CPU1 calls idr_remove(), the object is no longer reachable through the IDR. CPU0's subsequent idr_find() will return NULL, and even if it still held a stale pointer, the immediate kfree() is now deferred until after the RCU grace period, so no UAF can occur.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-53264
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-53264
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-53264 (4)
Other References for CVE-2026-53264 (4)
Same Patch Batch · Linux · 2026-06-25 · 147 CVEs total
| CVE-2026-53185 | zram: fix use-after-free in zram_bvec_write_partial() | |
| CVE-2026-53167 | fuse: limit FUSE_NOTIFY_RETRIEVE to uptodate folios | |
| CVE-2026-53168 | fuse: reject fuse_notify() pagecache ops on directories | |
| CVE-2026-53169 | accel/ethosu: reject NPU_OP_RESIZE commands from userspace | |
| CVE-2026-53171 | accel/ethosu: fix arithmetic issues in dma_length() | |
| CVE-2026-53170 | accel/ethosu: reject DMA commands with uninitialized length | |
| CVE-2026-53172 | accel/ethosu: fix IFM region index out-of-bounds in command stream parser | |
| CVE-2026-53174 | ovl: keep err zero after successful ovl_cache_get() | |
| CVE-2026-53173 | accel/ethosu: fix OOB write in ethosu_gem_cmdstream_copy_and_validate() | |
| CVE-2026-53175 | inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush | |
| CVE-2026-53177 | bnxt_en: Fix NULL pointer dereference | |
| CVE-2026-53176 | IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN | |
| CVE-2026-53178 | staging: rtl8723bs: rtw_mlme: add bounds checks before ie_length subtraction | |
| CVE-2026-53180 | timers/migration: Fix livelock in tmigr_handle_remote_up() | |
| CVE-2026-53179 | staging: rtl8723bs: fix buffer over-read in rtw_update_protection | |
| CVE-2026-53181 | vsock/vmci: fix sk_ack_backlog leak on failed handshake | |
| CVE-2026-53182 | wifi: nl80211: reject oversized EMA RNR lists | |
| CVE-2026-53183 | mptcp: allow subflow rcv wnd to shrink | |
| CVE-2026-53184 | udp: clear skb->dev before running a sockmap verdict | |
| CVE-2026-53196 | USB: serial: io_ti: fix heap overflow in get_manuf_info() |
Showing top 20 of 147 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-53277
KVM: arm64: Take the SRCU lock for page table walks in fault - CVE-2026-53276
Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer - CVE-2026-53275
ipv6: mcast: Fix use-after-free when processing MLD queries - CVE-2026-53274
net/smc: fix sleep-inside-lock in __smc_setsockopt() causing - CVE-2026-53273
tee: optee: prevent use-after-free when the client exits bef
Same vendor: Linux
- CVE-2026-53277
KVM: arm64: Take the SRCU lock for page table walks in fault - CVE-2026-53276
Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer - CVE-2026-53275
ipv6: mcast: Fix use-after-free when processing MLD queries - CVE-2026-53274
net/smc: fix sleep-inside-lock in __smc_setsockopt() causing - CVE-2026-53273
tee: optee: prevent use-after-free when the client exits bef
V. Comments for CVE-2026-53264
No comments yet