CVE-2026-53262
Received Received - Intake
Use-After-Free in Linux Kernel PPP over L2TP

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: l2tp: pppol2tp: hold reference to session in pppol2tp_ioctl() pppol2tp_ioctl() read sock->sk->sk_user_data directly without any locks or reference counting. If a controllable sleep was induced during copy_from_user() (e.g. via a userfaultfd page fault sleep), a concurrent socket close could trigger pppol2tp_session_close() asynchronously. This frees the l2tp_session structure via the l2tp_session_del_work workqueue. Upon resuming, the ioctl thread dereferences the stale session pointer, resulting in a Use-After-Free (UAF). Fix this by securely fetching the session reference using the RCU-safe, refcounted helper pppol2tp_sock_to_session(sk) on entry. This locks the session's refcount across the sleep. We structured the function to exit via standard err breaks, guaranteeing that l2tp_session_put() is cleanly called on all return paths to drop the reference. To preserve existing behavior we validate the session and its magic signature only for the specific L2TP commands that require it. This ensures that generic/unknown ioctls called on an unconnected socket still return -ENOIOCTLCMD and correctly fall back to generic handlers (e.g. in sock_do_ioctl()).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53262
EUVD
EUVD-2026-39213
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's l2tp (Layer 2 Tunneling Protocol) implementation, specifically in the pppol2tp_ioctl() function. The function reads socket user data without proper locking or reference counting. If a controllable sleep occurs during a user data copy operation, a concurrent socket close can asynchronously free the associated l2tp_session structure. When the ioctl thread resumes, it dereferences a stale pointer, causing a Use-After-Free (UAF) condition.

The issue was fixed by securely obtaining a reference to the session using a refcounted, RCU-safe helper function that locks the session's reference count across the sleep period. This ensures the session is not freed while still in use, preventing the UAF.

Impact Analysis

This Use-After-Free vulnerability can lead to undefined behavior in the kernel, including potential crashes, data corruption, or escalation of privileges. An attacker could exploit this flaw to execute arbitrary code within the kernel context or cause denial of service by crashing the system.

Mitigation Strategies

The vulnerability has been resolved in the Linux kernel by fixing the pppol2tp_ioctl() function to securely fetch the session reference using the RCU-safe, refcounted helper pppol2tp_sock_to_session(sk).

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53262. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart