CVE-2026-53175
Received Received - Intake
Use-After-Free in Linux Kernel Networking Stack

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush On netns teardown, fqdir_pre_exit() walks the fqdir rhashtable and flushes every fragment queue that is not yet complete using inet_frag_queue_flush(). That helper frees all the skbs queued on the fragment queue but does not set INET_FRAG_COMPLETE, and leaves q->fragments_tail and q->last_run_head pointing at the freed skbs. The queue itself stays in the rhashtable. fqdir_pre_exit() first lowers high_thresh to 0 to stop new queue lookups, but it cannot stop a fragment that already obtained the queue through inet_frag_find() earlier and stalled just before taking the queue lock. Once that fragment resumes after the flush and takes the queue lock, it passes the INET_FRAG_COMPLETE check and then dereferences the freed fragments_tail. inet_frag_queue_insert() reads FRAG_CB() and ->len of that pointer and, on the append path, writes ->next_frag, causing a slab use-after-free. IPv6, nf_conntrack_reasm6 and 6lowpan reassembly share the same flush path and are affected as well. Reset rb_fragments, fragments_tail and last_run_head in inet_frag_queue_flush() so a flushed queue no longer points at the freed skbs. A fragment that resumes after the flush and takes the queue lock then finds an empty queue and starts a new run instead of dereferencing the freed fragments_tail. ip_frag_reinit() already performed this reset after its own flush, so drop the now duplicate code there.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53175
EUVD
EUVD-2026-39266
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free issue in the Linux kernel's network fragment handling code. Specifically, during network namespace teardown, a function called fqdir_pre_exit() flushes fragment queues but does not properly reset pointers that still reference freed memory (skbs). As a result, when another fragment tries to access these pointers after the flush, it dereferences freed memory, causing a use-after-free condition. This affects IPv6, nf_conntrack_reasm6, and 6lowpan reassembly as they share the same flush path.

The fix involves resetting certain pointers (rb_fragments, fragments_tail, and last_run_head) during the flush so that no references remain to freed memory, preventing the use-after-free from occurring.

Impact Analysis

This vulnerability can lead to use-after-free memory errors in the Linux kernel's network stack. Such errors can cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or cause denial of service by exploiting the freed memory references.

Mitigation Strategies

The vulnerability has been resolved by fixing the use-after-free issue in the Linux kernel's inet fragment handling code. To mitigate this vulnerability, you should update your Linux kernel to a version that includes the fix for this issue.

Specifically, the fix involves resetting rb_fragments, fragments_tail, and last_run_head in inet_frag_queue_flush() so that flushed queues no longer point to freed skbs, preventing use-after-free conditions.

Therefore, the immediate step is to apply the kernel update or patch that contains this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53175. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart