CVE-2026-53240

Source
https://cve.org/CVERecord?id=CVE-2026-53240
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53240.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53240
Downstream
Related
Published
2026-06-25T08:39:35.809Z
Modified
2026-07-09T21:00:30.143589312Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
xfrm: iptfs: fix use-after-free on first_skb in __input_process_payload
Details

In the Linux kernel, the following vulnerability has been resolved:

xfrm: iptfs: fix use-after-free on first_skb in __inputprocesspayload

_inputprocesspayload() stores firstskb into xtfs->ranewskb under droplock when starting partial reassembly, then unlocks and breaks out of the processing loop. The post-loop check reads xtfs->ranewskb without the lock to decide whether firstskb is still owned:

if (first_skb && first_iplen && !defer && first_skb != xtfs->ra_newskb)

Between spinunlock and this read, a concurrent CPU running iptfsreassemcont() (or the droptimer hrtimer) can complete reassembly, NULL xtfs->ranewskb, and free the skb. The check then evaluates firstskb != NULL as true, and pskbtrim/ipsummed/consumeskb operate on the freed skb — a use-after-free in skbuffhead_cache.

Replace the unlocked read with a local bool that records whether firstskb was handed to the reassembly state in the current call. The flag is set after the existing spinunlock, before the break, using the pointer equality that is stable at that point (firstskb == skb iff firstskb was stored in ra_newskb).

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53240.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
3f3339885fb343b7b42d7c34717108ce07da24ae
Fixed
8d9a79fbf5172d9c4c0146057af2360913265a11
Fixed
ff2ee35b6ce5fa8a8e24ea50b15733d5c8780198
Fixed
eb48730bb827d1550401a5d391903f9d90b493c8

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53240.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.14.0
Fixed
6.18.36
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.13

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53240.json"