In the Linux kernel, the following vulnerability has been resolved:
xfrm: iptfs: fix use-after-free on first_skb in __inputprocesspayload
_inputprocesspayload() stores firstskb into xtfs->ranewskb under droplock when starting partial reassembly, then unlocks and breaks out of the processing loop. The post-loop check reads xtfs->ranewskb without the lock to decide whether firstskb is still owned:
if (first_skb && first_iplen && !defer && first_skb != xtfs->ra_newskb)
Between spinunlock and this read, a concurrent CPU running iptfsreassemcont() (or the droptimer hrtimer) can complete reassembly, NULL xtfs->ranewskb, and free the skb. The check then evaluates firstskb != NULL as true, and pskbtrim/ipsummed/consumeskb operate on the freed skb — a use-after-free in skbuffhead_cache.
Replace the unlocked read with a local bool that records whether firstskb was handed to the reassembly state in the current call. The flag is set after the existing spinunlock, before the break, using the pointer equality that is stable at that point (firstskb == skb iff firstskb was stored in ra_newskb).
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53240.json",
"cna_assigner": "Linux"
}