{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-53011","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-06-09T07:44:35.378Z","datePublished":"2026-06-24T16:29:22.082Z","dateUpdated":"2026-06-28T06:38:02.986Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-06-28T06:38:02.986Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: fix use-after-free in advance_sched() on schedule switch\n\nIn advance_sched(), when should_change_schedules() returns true,\nswitch_schedules() is called to promote the admin schedule to oper.\nswitch_schedules() queues the old oper schedule for RCU freeing via\ncall_rcu(), but 'next' still points into an entry of the old oper\nschedule. The subsequent 'next->end_time = end_time' and\nrcu_assign_pointer(q->current_entry, next) are use-after-free.\n\nFix this by selecting 'next' from the new oper schedule immediately\nafter switch_schedules(), and using its pre-calculated end_time.\nsetup_first_end_time() sets the first entry's end_time to\nbase_time + interval when the schedule is installed, so the value\nis already correct.\n\nThe deleted 'end_time = sched_base_time(admin)' assignment was also\nharmful independently: it would overwrite the new first entry's\npre-calculated end_time with just base_time."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/sched/sch_taprio.c"],"versions":[{"version":"a3d43c0d56f1b94e74963a2fbadfb70126d92213","lessThan":"a8fc396519ef4f081bc545e88f61241728bb78d7","status":"affected","versionType":"git"},{"version":"a3d43c0d56f1b94e74963a2fbadfb70126d92213","lessThan":"3471874578160a28c171a607fa069f24062634b8","status":"affected","versionType":"git"},{"version":"a3d43c0d56f1b94e74963a2fbadfb70126d92213","lessThan":"7256996e1ef553716817f3bfd077c2f3b48b582f","status":"affected","versionType":"git"},{"version":"a3d43c0d56f1b94e74963a2fbadfb70126d92213","lessThan":"eee072fe16c646190d33ae69c9983d8de1562bf8","status":"affected","versionType":"git"},{"version":"a3d43c0d56f1b94e74963a2fbadfb70126d92213","lessThan":"1bd286fa3e21200133478ed523cc6a2788baf38a","status":"affected","versionType":"git"},{"version":"a3d43c0d56f1b94e74963a2fbadfb70126d92213","lessThan":"b73235da5dde77ed1264f9767b62c28c9d71fd78","status":"affected","versionType":"git"},{"version":"a3d43c0d56f1b94e74963a2fbadfb70126d92213","lessThan":"0e62171df8ed4804d00db088f17eed06468233fa","status":"affected","versionType":"git"},{"version":"a3d43c0d56f1b94e74963a2fbadfb70126d92213","lessThan":"105425b1969c5affe532713cfac1c0b320d7ac2b","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/sched/sch_taprio.c"],"versions":[{"version":"5.2","status":"affected"},{"version":"0","lessThan":"5.2","status":"unaffected","versionType":"semver"},{"version":"5.10.258","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.209","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.175","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.141","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.91","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.33","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"5.10.258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"5.15.209"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"6.1.175"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"6.6.141"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"6.12.91"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"6.18.33"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"7.0.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"7.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/a8fc396519ef4f081bc545e88f61241728bb78d7"},{"url":"https://git.kernel.org/stable/c/3471874578160a28c171a607fa069f24062634b8"},{"url":"https://git.kernel.org/stable/c/7256996e1ef553716817f3bfd077c2f3b48b582f"},{"url":"https://git.kernel.org/stable/c/eee072fe16c646190d33ae69c9983d8de1562bf8"},{"url":"https://git.kernel.org/stable/c/1bd286fa3e21200133478ed523cc6a2788baf38a"},{"url":"https://git.kernel.org/stable/c/b73235da5dde77ed1264f9767b62c28c9d71fd78"},{"url":"https://git.kernel.org/stable/c/0e62171df8ed4804d00db088f17eed06468233fa"},{"url":"https://git.kernel.org/stable/c/105425b1969c5affe532713cfac1c0b320d7ac2b"}],"title":"net/sched: taprio: fix use-after-free in advance_sched() on schedule switch","x_generator":{"engine":"bippy-1.2.0"}}}}