CVE-2026-53270
Received Received - Intake
IPVS Scheduler Use-After-Free in Linux Kernel

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ipvs: clear the svc scheduler ptr early on edit ip_vs_edit_service() while unbinding the old scheduler clears the svc->scheduler ptr after the scheduler module initiates RCU callbacks. This can cause packets to use the old scheduler at the time when svc->sched_data is already freed after RCU grace period. Fix it by clearing the ptr early in ip_vs_unbind_scheduler(), before the done_service method schedules any RCU callbacks. Also, if the new scheduler fails to initialize when replacing the old scheduler, try to restore the old scheduler while still returning the error code.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53270
EUVD
EUVD-2026-39221
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's IP Virtual Server (ipvs) component. Specifically, when editing a service's scheduler using the function ip_vs_edit_service(), the pointer to the scheduler (svc->scheduler) is cleared too lateβ€”after the scheduler module has already initiated Read-Copy-Update (RCU) callbacks. This timing issue can cause packets to be processed by the old scheduler even though the scheduler's associated data (svc->sched_data) has already been freed after the RCU grace period.

The fix involves clearing the scheduler pointer earlier in the process (in ip_vs_unbind_scheduler()), before any RCU callbacks are scheduled by the done_service method. Additionally, if the new scheduler fails to initialize when replacing the old one, the system attempts to restore the old scheduler while still returning an error code.

Impact Analysis

This vulnerability can lead to packets being processed by a scheduler whose associated data has already been freed, potentially causing undefined behavior such as memory corruption or system instability in the Linux kernel's IPVS subsystem. This could result in crashes, denial of service, or unpredictable network behavior on affected systems.

Mitigation Strategies

The vulnerability has been resolved by updating the Linux kernel to include the fix that clears the svc scheduler pointer early during the edit process in ipvs. Therefore, the immediate step to mitigate this vulnerability is to update your Linux kernel to a version that contains this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53270. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart