In the Linux kernel, the following vulnerability has been resolved:
net/sched: taprio: fix use-after-free in advance_sched() on schedule switch
In advancesched(), when shouldchangeschedules() returns true, switchschedules() is called to promote the admin schedule to oper. switchschedules() queues the old oper schedule for RCU freeing via callrcu(), but 'next' still points into an entry of the old oper schedule. The subsequent 'next->endtime = endtime' and rcuassignpointer(q->current_entry, next) are use-after-free.
Fix this by selecting 'next' from the new oper schedule immediately after switchschedules(), and using its pre-calculated endtime. setupfirstendtime() sets the first entry's endtime to base_time + interval when the schedule is installed, so the value is already correct.
The deleted 'endtime = schedbasetime(admin)' assignment was also harmful independently: it would overwrite the new first entry's pre-calculated endtime with just base_time.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53011.json",
"cna_assigner": "Linux"
}