CVE-2026-53175

Source
https://cve.org/CVERecord?id=CVE-2026-53175
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53175.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53175
Downstream
Related
Published
2026-06-25T08:38:52.034Z
Modified
2026-07-08T08:13:44.006393584Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush
Details

In the Linux kernel, the following vulnerability has been resolved:

inet: frags: fix use-after-free caused by the fqdirpreexit() flush

On netns teardown, fqdirpreexit() walks the fqdir rhashtable and flushes every fragment queue that is not yet complete using inetfragqueueflush(). That helper frees all the skbs queued on the fragment queue but does not set INETFRAGCOMPLETE, and leaves q->fragmentstail and q->lastrunhead pointing at the freed skbs. The queue itself stays in the rhashtable.

fqdirpreexit() first lowers highthresh to 0 to stop new queue lookups, but it cannot stop a fragment that already obtained the queue through inetfragfind() earlier and stalled just before taking the queue lock. Once that fragment resumes after the flush and takes the queue lock, it passes the INETFRAGCOMPLETE check and then dereferences the freed fragmentstail. inetfragqueueinsert() reads FRAGCB() and ->len of that pointer and, on the append path, writes ->nextfrag, causing a slab use-after-free. IPv6, nfconntrack_reasm6 and 6lowpan reassembly share the same flush path and are affected as well.

Reset rbfragments, fragmentstail and lastrunhead in inetfragqueueflush() so a flushed queue no longer points at the freed skbs. A fragment that resumes after the flush and takes the queue lock then finds an empty queue and starts a new run instead of dereferencing the freed fragmentstail. ipfragreinit() already performed this reset after its own flush, so drop the now duplicate code there.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53175.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
22ee4010866da81aeee08e1ea3fddbe418feb212
Fixed
0e823ca0e7391630784ae7dd0981b7ad170a93d9
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
543555954b1ee8d1903a7020324efb41b0c97428
Fixed
c22599cc90e1cd5f8129c8670bd68a02ff7177b4
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
c70df25214ac9b32b53e18e6ae3b8f073ffa6903
Fixed
89b909e9704587bfecc1aab1d37e98faee03b9f9
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
006a5035b495dec008805df249f92c22c89c3d2e
Fixed
010c3313a4d178dc2d3ce958d2e5cb055e2864c1
Fixed
32594b09854970d7ba83eb2dc8c69a2edd158c8e
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6.12.93
Fixed
6.12.94
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6.18.3
Fixed
6.18.36

Affected versions

v6.*
v6.12.93
v6.18.10
v6.18.11
v6.18.12
v6.18.13
v6.18.14
v6.18.15
v6.18.16
v6.18.17
v6.18.18
v6.18.19
v6.18.20
v6.18.21
v6.18.22
v6.18.23
v6.18.24
v6.18.25
v6.18.26
v6.18.27
v6.18.28
v6.18.29
v6.18.3
v6.18.30
v6.18.31
v6.18.32
v6.18.33
v6.18.34
v6.18.35
v6.18.4
v6.18.5
v6.18.6
v6.18.7
v6.18.8
v6.18.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53175.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.12.94
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.36
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.13

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53175.json"