In the Linux kernel, the following vulnerability has been resolved:
inet: frags: fix use-after-free caused by the fqdirpreexit() flush
On netns teardown, fqdirpreexit() walks the fqdir rhashtable and flushes every fragment queue that is not yet complete using inetfragqueueflush(). That helper frees all the skbs queued on the fragment queue but does not set INETFRAGCOMPLETE, and leaves q->fragmentstail and q->lastrunhead pointing at the freed skbs. The queue itself stays in the rhashtable.
fqdirpreexit() first lowers highthresh to 0 to stop new queue lookups, but it cannot stop a fragment that already obtained the queue through inetfragfind() earlier and stalled just before taking the queue lock. Once that fragment resumes after the flush and takes the queue lock, it passes the INETFRAGCOMPLETE check and then dereferences the freed fragmentstail. inetfragqueueinsert() reads FRAGCB() and ->len of that pointer and, on the append path, writes ->nextfrag, causing a slab use-after-free. IPv6, nfconntrack_reasm6 and 6lowpan reassembly share the same flush path and are affected as well.
Reset rbfragments, fragmentstail and lastrunhead in inetfragqueueflush() so a flushed queue no longer points at the freed skbs. A fragment that resumes after the flush and takes the queue lock then finds an empty queue and starts a new run instead of dereferencing the freed fragmentstail. ipfragreinit() already performed this reset after its own flush, so drop the now duplicate code there.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53175.json",
"cna_assigner": "Linux"
}