CVE-2026-53011

Source
https://cve.org/CVERecord?id=CVE-2026-53011
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53011.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53011
Downstream
Published
2026-06-24T16:29:22.082Z
Modified
2026-07-12T03:55:10.593279702Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
net/sched: taprio: fix use-after-free in advance_sched() on schedule switch
Details

In the Linux kernel, the following vulnerability has been resolved:

net/sched: taprio: fix use-after-free in advance_sched() on schedule switch

In advancesched(), when shouldchangeschedules() returns true, switchschedules() is called to promote the admin schedule to oper. switchschedules() queues the old oper schedule for RCU freeing via callrcu(), but 'next' still points into an entry of the old oper schedule. The subsequent 'next->endtime = endtime' and rcuassignpointer(q->current_entry, next) are use-after-free.

Fix this by selecting 'next' from the new oper schedule immediately after switchschedules(), and using its pre-calculated endtime. setupfirstendtime() sets the first entry's endtime to base_time + interval when the schedule is installed, so the value is already correct.

The deleted 'endtime = schedbasetime(admin)' assignment was also harmful independently: it would overwrite the new first entry's pre-calculated endtime with just base_time.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53011.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a3d43c0d56f1b94e74963a2fbadfb70126d92213
Fixed
a8fc396519ef4f081bc545e88f61241728bb78d7
Fixed
3471874578160a28c171a607fa069f24062634b8
Fixed
7256996e1ef553716817f3bfd077c2f3b48b582f
Fixed
eee072fe16c646190d33ae69c9983d8de1562bf8
Fixed
1bd286fa3e21200133478ed523cc6a2788baf38a
Fixed
b73235da5dde77ed1264f9767b62c28c9d71fd78
Fixed
0e62171df8ed4804d00db088f17eed06468233fa
Fixed
105425b1969c5affe532713cfac1c0b320d7ac2b

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53011.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.2.0
Fixed
5.10.258
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.209
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.141
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.91
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.33
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53011.json"