{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-53239","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-06-09T07:44:35.393Z","datePublished":"2026-06-25T08:39:35.149Z","dateUpdated":"2026-06-28T06:40:46.548Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-06-28T06:40:46.548Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()\n\nFix the race by pruning the bin while still holding xfrm_policy_lock,\nbefore dropping it. Use __xfrm_policy_inexact_prune_bin() directly since\nthe lock is already held. The wrapper xfrm_policy_inexact_prune_bin()\nbecomes unused and is removed.\n\nRace:\n\n  CPU0 (XFRM_MSG_DELPOLICY)           CPU1 (XFRM_MSG_NEWSPDINFO)\n  ==========================          ==========================\n  xfrm_policy_bysel_ctx():\n    spin_lock_bh(xfrm_policy_lock)\n    bin = xfrm_policy_inexact_lookup()\n    __xfrm_policy_unlink(pol)\n    spin_unlock_bh(xfrm_policy_lock)\n    xfrm_policy_kill(ret)\n    // wide window, lock not held\n                                       xfrm_hash_rebuild():\n                                         spin_lock_bh(xfrm_policy_lock)\n                                         __xfrm_policy_inexact_flush():\n                                           kfree_rcu(bin)  // bin freed\n                                         spin_unlock_bh(xfrm_policy_lock)\n    xfrm_policy_inexact_prune_bin(bin)\n    // UAF: bin is freed"}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/xfrm/xfrm_policy.c"],"versions":[{"version":"6be3b0db6db82cf056a72cc18042048edd27f8ee","lessThan":"8fc536e9f6856230f19c7d13e71af064b6a77b22","status":"affected","versionType":"git"},{"version":"6be3b0db6db82cf056a72cc18042048edd27f8ee","lessThan":"c4c1ea36d83bf3c4569468ca5b8b614fda1bf821","status":"affected","versionType":"git"},{"version":"6be3b0db6db82cf056a72cc18042048edd27f8ee","lessThan":"25c8c7fb3b0b9668c7d05e209f58c158d2b020c7","status":"affected","versionType":"git"},{"version":"6be3b0db6db82cf056a72cc18042048edd27f8ee","lessThan":"42827d03f8009a6a218bacab153e21f39d6a121c","status":"affected","versionType":"git"},{"version":"6be3b0db6db82cf056a72cc18042048edd27f8ee","lessThan":"88697cf980222d5906a37bf47662dac0732e2a0f","status":"affected","versionType":"git"},{"version":"6be3b0db6db82cf056a72cc18042048edd27f8ee","lessThan":"b5316e2b8614a87d8736941972441cb47bfd4491","status":"affected","versionType":"git"},{"version":"6be3b0db6db82cf056a72cc18042048edd27f8ee","lessThan":"ec82ea4eb220164d854f8734ca5a35e23e577b94","status":"affected","versionType":"git"},{"version":"6be3b0db6db82cf056a72cc18042048edd27f8ee","lessThan":"7f2d76c9c03257c0782afef9d95321fa04096f60","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/xfrm/xfrm_policy.c"],"versions":[{"version":"5.0","status":"affected"},{"version":"0","lessThan":"5.0","status":"unaffected","versionType":"semver"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.94","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.36","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"7.0.13","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"5.10.259"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"5.15.210"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"6.1.176"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"6.6.143"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"6.12.94"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"6.18.36"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"7.0.13"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"7.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/8fc536e9f6856230f19c7d13e71af064b6a77b22"},{"url":"https://git.kernel.org/stable/c/c4c1ea36d83bf3c4569468ca5b8b614fda1bf821"},{"url":"https://git.kernel.org/stable/c/25c8c7fb3b0b9668c7d05e209f58c158d2b020c7"},{"url":"https://git.kernel.org/stable/c/42827d03f8009a6a218bacab153e21f39d6a121c"},{"url":"https://git.kernel.org/stable/c/88697cf980222d5906a37bf47662dac0732e2a0f"},{"url":"https://git.kernel.org/stable/c/b5316e2b8614a87d8736941972441cb47bfd4491"},{"url":"https://git.kernel.org/stable/c/ec82ea4eb220164d854f8734ca5a35e23e577b94"},{"url":"https://git.kernel.org/stable/c/7f2d76c9c03257c0782afef9d95321fa04096f60"}],"title":"xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()","x_generator":{"engine":"bippy-1.2.0"}}}}