CVE-2026-53239 - Vulnerability Details

- xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()

Description

In the Linux kernel, the following vulnerability has been resolved:

xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()

Fix the race by pruning the bin while still holding xfrm_policy_lock,
before dropping it. Use __xfrm_policy_inexact_prune_bin() directly since
the lock is already held. The wrapper xfrm_policy_inexact_prune_bin()
becomes unused and is removed.

Race:

CPU0 (XFRM_MSG_DELPOLICY) CPU1 (XFRM_MSG_NEWSPDINFO)
========================== ==========================
xfrm_policy_bysel_ctx():
spin_lock_bh(xfrm_policy_lock)
bin = xfrm_policy_inexact_lookup()
__xfrm_policy_unlink(pol)
spin_unlock_bh(xfrm_policy_lock)
xfrm_policy_kill(ret)
// wide window, lock not held
xfrm_hash_rebuild():
spin_lock_bh(xfrm_policy_lock)
__xfrm_policy_inexact_flush():
kfree_rcu(bin) // bin freed
spin_unlock_bh(xfrm_policy_lock)
xfrm_policy_inexact_prune_bin(bin)
// UAF: bin is freed

Published: 2026-06-25

Score: 7.0 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`6be3b0db6db82cf056a72cc18042048edd27f8ee`	affected	< 8fc536e9f6856230f19c7d13e71af064b6a77b22
`6be3b0db6db82cf056a72cc18042048edd27f8ee`	affected	< c4c1ea36d83bf3c4569468ca5b8b614fda1bf821
`6be3b0db6db82cf056a72cc18042048edd27f8ee`	affected	< 25c8c7fb3b0b9668c7d05e209f58c158d2b020c7
`6be3b0db6db82cf056a72cc18042048edd27f8ee`	affected	< 42827d03f8009a6a218bacab153e21f39d6a121c
`6be3b0db6db82cf056a72cc18042048edd27f8ee`	affected	< 88697cf980222d5906a37bf47662dac0732e2a0f
`6be3b0db6db82cf056a72cc18042048edd27f8ee`	affected	< b5316e2b8614a87d8736941972441cb47bfd4491
`6be3b0db6db82cf056a72cc18042048edd27f8ee`	affected	< ec82ea4eb220164d854f8734ca5a35e23e577b94
`6be3b0db6db82cf056a72cc18042048edd27f8ee`	affected	< 7f2d76c9c03257c0782afef9d95321fa04096f60

Linux

affected

Version	Status	Constraints
`5.0`	affected	—
`0`	unaffected	< 5.0
`5.10.259`	unaffected	≤ 5.10.*
`5.15.210`	unaffected	≤ 5.15.*
`6.1.176`	unaffected	≤ 6.1.*
`6.6.143`	unaffected	≤ 6.6.*
`6.12.94`	unaffected	≤ 6.12.*
`6.18.36`	unaffected	≤ 6.18.*
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6be3b0db6db82cf056a72cc18042048edd27f8ee,8fc536e9f6856230f19c7d13e71af064b6a77b22)`	affected	code_commit	—
`[6be3b0db6db82cf056a72cc18042048edd27f8ee,c4c1ea36d83bf3c4569468ca5b8b614fda1bf821)`	affected	code_commit	—
`[6be3b0db6db82cf056a72cc18042048edd27f8ee,25c8c7fb3b0b9668c7d05e209f58c158d2b020c7)`	affected	code_commit	—
`[6be3b0db6db82cf056a72cc18042048edd27f8ee,42827d03f8009a6a218bacab153e21f39d6a121c)`	affected	code_commit	—
`[6be3b0db6db82cf056a72cc18042048edd27f8ee,88697cf980222d5906a37bf47662dac0732e2a0f)`	affected	code_commit	—
`[6be3b0db6db82cf056a72cc18042048edd27f8ee,b5316e2b8614a87d8736941972441cb47bfd4491)`	affected	code_commit	—
`[6be3b0db6db82cf056a72cc18042048edd27f8ee,ec82ea4eb220164d854f8734ca5a35e23e577b94)`	affected	code_commit	—
`[6be3b0db6db82cf056a72cc18042048edd27f8ee,7f2d76c9c03257c0782afef9d95321fa04096f60)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.0`	affected	semver	—
`[0,5.0)`	unaffected	semver	—
`[5.10.259,5.11.0)`	unaffected	semver	—
`[5.15.210,5.16.0)`	unaffected	semver	—
`[6.1.176,6.2.0)`	unaffected	semver	—
`[6.6.143,6.7.0)`	unaffected	semver	—
`[6.12.94,6.13.0)`	unaffected	semver	—
`[6.18.36,6.19.0)`	unaffected	semver	—
`[7.0.13,7.1.0)`	unaffected	semver	—
`[7.1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00184.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/25c8c7fb3b0b9668c7d05e209f58c158d2b020c7
https://git.kernel.org/stable/c/42827d03f8009a6a218bacab153e21f39d6a121c
https://git.kernel.org/stable/c/7f2d76c9c03257c0782afef9d95321fa04096f60
https://git.kernel.org/stable/c/88697cf980222d5906a37bf47662dac0732e2a0f
https://git.kernel.org/stable/c/8fc536e9f6856230f19c7d13e71af064b6a77b22
https://git.kernel.org/stable/c/b5316e2b8614a87d8736941972441cb47bfd4491
https://git.kernel.org/stable/c/c4c1ea36d83bf3c4569468ca5b8b614fda1bf821
https://git.kernel.org/stable/c/ec82ea4eb220164d854f8734ca5a35e23e577b94
https://lore.kernel.org/linux-cve-announce/2026062510-CVE-2026-53239-8ebc@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-53239
https://www.cve.org/CVERecord?id=CVE-2026-53239

History

Fri, 26 Jun 2026 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416

Fri, 26 Jun 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-364
References		https://lore.kernel.org/linux-cve-announce/2026062510-CVE-2026-53239-8ebc@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-53239 https://www.cve.org/CVERecord?id=CVE-2026-53239
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Thu, 25 Jun 2026 11:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx() Fix the race by pruning the bin while still holding xfrm_policy_lock, before dropping it. Use __xfrm_policy_inexact_prune_bin() directly since the lock is already held. The wrapper xfrm_policy_inexact_prune_bin() becomes unused and is removed. Race: CPU0 (XFRM_MSG_DELPOLICY) CPU1 (XFRM_MSG_NEWSPDINFO) ========================== ========================== xfrm_policy_bysel_ctx(): spin_lock_bh(xfrm_policy_lock) bin = xfrm_policy_inexact_lookup() __xfrm_policy_unlink(pol) spin_unlock_bh(xfrm_policy_lock) xfrm_policy_kill(ret) // wide window, lock not held xfrm_hash_rebuild(): spin_lock_bh(xfrm_policy_lock) __xfrm_policy_inexact_flush(): kfree_rcu(bin) // bin freed spin_unlock_bh(xfrm_policy_lock) xfrm_policy_inexact_prune_bin(bin) // UAF: bin is freed
Title		xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/25c8c7fb3b0b9668c7d05e209f58c158d2b020c7 https://git.kernel.org/stable/c/42827d03f8009a6a218bacab153e21f39d6a121c https://git.kernel.org/stable/c/7f2d76c9c03257c0782afef9d95321fa04096f60 https://git.kernel.org/stable/c/88697cf980222d5906a37bf47662dac0732e2a0f https://git.kernel.org/stable/c/8fc536e9f6856230f19c7d13e71af064b6a77b22 https://git.kernel.org/stable/c/b5316e2b8614a87d8736941972441cb47bfd4491 https://git.kernel.org/stable/c/c4c1ea36d83bf3c4569468ca5b8b614fda1bf821 https://git.kernel.org/stable/c/ec82ea4eb220164d854f8734ca5a35e23e577b94

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:39:35.149Z

Updated: 2026-06-25T08:39:35.149Z

Reserved: 2026-06-09T07:44:35.393Z

Link: CVE-2026-53239

Vulnrichment

No data.

NVD

No data.

Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53239 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-26T16:30:03Z

Weaknesses

CWE-364

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object