In the Linux kernel, the following vulnerability has been resolved:
xfrm: iptfs: fix ABBA deadlock in iptfsdestroystate()
iptfsdestroystate() calls hrtimer_cancel() while holding a spinlock that the timer callback also acquires, leading to an ABBA deadlock on SMP systems.
For the output timer (iptfstimer): - iptfsdestroystate() holds x->lock, calls hrtimercancel() - iptfsdelaytimer() callback takes x->lock
For the drop timer (droptimer): - iptfsdestroystate() holds droplock, calls hrtimercancel() - iptfsdroptimer() callback takes droplock
Both timers use HRTIMERMODERELSOFT, so their callbacks run in softirq context. When hrtimercancel() is called for a soft timer that is currently executing on another CPU, hrtimercancelwaitrunning() spins on softirqexpirylock -- the same lock held by the softirq running the callback. If the callback is blocked waiting for the spinlock held by the caller of hrtimercancel(), a circular dependency forms:
CPU 0: holds lockA -> waits for softirqexpirylock CPU 1: holds softirqexpirylock -> waits for lockA
Fix by calling hrtimercancel() before acquiring the respective locks. hrtimercancel() is safe to call without holding any lock and will wait for any in-progress callback to complete. For the output timer, the lock is still acquired afterwards to drain the packet queue. For the drop timer, the lock/unlock pair is removed entirely since it only existed to serialize with the timer callback, which hrtimer_cancel() already guarantees.
Found by source code audit.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53197.json",
"cna_assigner": "Linux"
}