CVE-2026-53260
Received Received - Intake
Refcount underflow in Linux kernel TCP request socket handling

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: tcp: Add preempt_{disable,enable}_nested() in reqsk_queue_hash_req(). syzbot reported a weird reqsk->rsk_refcnt underflow in __inet_csk_reqsk_queue_drop(). The captured reqsk_put() in __inet_csk_reqsk_queue_drop() is called only when it successfully removes reqsk from ehash. Moreover, reqsk_timer_handler() calls another reqsk_put() after that. This indicates that the reqsk was missing both refcnts for ehash and the timer itself. Since all the syzbot reports had PREEMPT_RT enabled, the only possible scenario is that reqsk_queue_hash_req() is preempted after mod_timer() and before refcount_set(), and then the timer triggered after 1s aborts the reqsk due to its listener's close(). Let's wrap mod_timer() and refcount_set() with preempt_disable_nested() and preempt_enable_nested(). Note that inet_ehash_insert() holds the normal spin_lock() (mutex in PREEMPT_RT), so it must be called outside of preempt_disable_nested(), but this is fine. The lookup path just ignores 0 sk_refcnt entries in ehash and tries to create another reqsk, but this will fail at inet_ehash_insert(). [0]: refcount_t: underflow; use-after-free. WARNING: lib/refcount.c:28 at refcount_warn_saturate+0xb2/0x110 lib/refcount.c:28, CPU#0: ktimers/0/16 Modules linked in: CPU: 0 UID: 0 PID: 16 Comm: ktimers/0 Tainted: G L syzkaller #0 PREEMPT_{RT,(full)} Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026 RIP: 0010:refcount_warn_saturate+0xb2/0x110 lib/refcount.c:28 Code: e4 7d d1 0a 67 48 0f b9 3a eb 4a e8 38 3d 23 fd 48 8d 3d e1 7d d1 0a 67 48 0f b9 3a eb 37 e8 25 3d 23 fd 48 8d 3d de 7d d1 0a <67> 48 0f b9 3a eb 24 e8 12 3d 23 fd 48 8d 3d db 7d d1 0a 67 48 0f RSP: 0000:ffffc90000157948 EFLAGS: 00010246 RAX: ffffffff84a1301b RBX: 0000000000000003 RCX: ffff88801ca98000 RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffffffff8f72ae00 RBP: ffffffff99ae3b01 R08: ffff88801ca98000 R09: 0000000000000005 R10: 0000000000000100 R11: 0000000000000004 R12: ffff8880425ef568 R13: ffff8880425ef4f8 R14: ffff8880425ef578 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff888126386000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7b46710e9c CR3: 000000000dbb6000 CR4: 00000000003526f0 Call Trace: <TASK> __refcount_sub_and_test include/linux/refcount.h:400 [inline] __refcount_dec_and_test include/linux/refcount.h:432 [inline] refcount_dec_and_test include/linux/refcount.h:450 [inline] reqsk_put include/net/request_sock.h:136 [inline] __inet_csk_reqsk_queue_drop+0x3ce/0x440 net/ipv4/inet_connection_sock.c:1007 reqsk_timer_handler+0x651/0xdf0 net/ipv4/inet_connection_sock.c:1137 call_timer_fn+0x192/0x5e0 kernel/time/timer.c:1748 expire_timers kernel/time/timer.c:1799 [inline] __run_timers kernel/time/timer.c:2374 [inline] __run_timer_base+0x6a3/0x9f0 kernel/time/timer.c:2386 run_timer_base kernel/time/timer.c:2395 [inline] run_timer_softirq+0x67/0x170 kernel/time/timer.c:2403 handle_softirqs+0x1de/0x6d0 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] run_ktimerd+0x69/0x100 kernel/softirq.c:1151 smpboot_thread_fn+0x541/0xa50 kernel/smpboot.c:160 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK>
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53260
EUVD
EUVD-2026-39211
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's TCP networking code, specifically in the handling of request sockets (reqsk). It involves a reference count underflow in the function __inet_csk_reqsk_queue_drop(), which is triggered when a request socket is removed from a hash queue and its timer expires. The issue arises because the reference count for the request socket is decremented twice without proper synchronization, leading to a use-after-free condition.

The root cause is that the function reqsk_queue_hash_req() can be preempted between calls to mod_timer() and refcount_set(), allowing the timer to expire and call reqsk_put() again, which decrements the reference count incorrectly. The fix involves wrapping these calls with preempt_disable_nested() and preempt_enable_nested() to prevent preemption and ensure correct reference counting.

Impact Analysis

This vulnerability can lead to a reference count underflow and a use-after-free condition in the Linux kernel's TCP stack. Such a condition can cause kernel crashes, instability, or potentially allow an attacker to execute arbitrary code or escalate privileges by exploiting the corrupted memory state.

Systems running the affected Linux kernel with PREEMPT_RT enabled are particularly susceptible, as the vulnerability is triggered by preemption during specific timing windows. This can impact the reliability and security of network communications on affected systems.

Detection Guidance

This vulnerability involves a refcount underflow in the Linux kernel's TCP request socket handling, which may manifest as warnings or errors related to refcount underflow or use-after-free in kernel logs.

To detect this vulnerability on your system, you should monitor kernel logs for warnings similar to "refcount_t: underflow; use-after-free" and tracebacks involving functions like __inet_csk_reqsk_queue_drop() and reqsk_timer_handler().

Commands to check kernel logs include:

  • dmesg | grep -i 'refcount_t: underflow'
  • journalctl -k | grep -i 'refcount_t: underflow'
  • journalctl -k | grep -E 'inet_csk_reqsk_queue_drop|reqsk_timer_handler'

Additionally, since the issue was reported with PREEMPT_RT enabled, monitoring systems running real-time kernel patches may be more susceptible.

Mitigation Strategies

The vulnerability is resolved by adding preempt_disable_nested() and preempt_enable_nested() wrappers around mod_timer() and refcount_set() in the Linux kernel TCP request socket code.

Immediate mitigation steps include:

  • Update your Linux kernel to a version that includes the fix for this vulnerability.
  • If updating the kernel is not immediately possible, consider disabling PREEMPT_RT (real-time preemption) if it is enabled, as the issue was observed primarily with PREEMPT_RT enabled.
  • Monitor kernel logs for signs of the issue to detect any exploitation attempts.

Applying the official patch or upgrading to a fixed kernel version is the recommended and most effective mitigation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53260. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart