{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-53259", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-06-09T07:44:35.394Z", "datePublished": "2026-06-25T08:39:48.571Z", "dateUpdated": "2026-06-25T08:39:48.571Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-06-25T08:39:48.571Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: anycast: insert aca into global hash under idev->lock\n\nsyzbot reported a splat [1]: a slab-use-after-free in\nipv6_chk_acast_addr(), which walks the global inet6_acaddr_lst[] hash\nunder RCU and dereferences a struct ifacaddr6 that has already been\nfreed while still linked in the hash, so a later reader walks into a\ndangling node.\n\nIn __ipv6_dev_ac_inc() the aca is allocated with refcount 1, then\naca_get() bumps it to 2 to keep it alive across the unlocked region.\nIt is published to idev->ac_list under idev->lock, but\nipv6_add_acaddr_hash() runs after write_unlock_bh(). A concurrent\nteardown (ipv6_ac_destroy_dev() from addrconf_ifdown(), under RTNL)\ncan slip into that window:\n\n CPU0 __ipv6_dev_ac_inc CPU1 ipv6_ac_destroy_dev (RTNL)\n ------------------------------ ------------------------------------\n aca_alloc() refcnt 1\n aca_get() refcnt 2\n write_lock_bh(idev->lock)\n add aca to ac_list\n write_unlock_bh(idev->lock)\n write_lock_bh(idev->lock)\n pull aca off ac_list\n write_unlock_bh(idev->lock)\n ipv6_del_acaddr_hash(aca)\n hlist_del_init_rcu() is a no-op,\n aca is not in the hash yet\n aca_put() refcnt 2->1\n ipv6_add_acaddr_hash(aca)\n aca now inserted into the hash\n aca_put() refcnt 1->0\n call_rcu(aca_free_rcu) -> kfree(aca)\n\nThe hash removal becomes a no-op because the insertion has not\nhappened yet, so once CPU0 inserts and drops the last reference, the\naca is freed while still linked in inet6_acaddr_lst[], and readers\ndereference freed memory after the slab slot is reused.\n\nThis window opened once RTNL stopped serializing the join path against\ndevice teardown. Move ipv6_add_acaddr_hash() inside the idev->lock\nsection so the ac_list and hash insertions are atomic with respect to\nteardown: a racing remover now either misses the aca entirely or finds\nit in both lists.\n\nacaddr_hash_lock is now nested under idev->lock, which is acquired in\nsoftirq context, so switch all acaddr_hash_lock sites to spin_lock_bh()\nto avoid the irq lock inversion reported in [2].\n\n[1] https://syzkaller.appspot.com/bug?extid=a01df04303c131efbf3a\n[2] https://lore.kernel.org/netdev/6a194ef7.ba3b1513.1890b4.0000.GAE@google.com/"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv6/anycast.c"], "versions": [{"version": "eb1ac9ff6c4a5720b1a1476233be374c5dc44bff", "lessThan": "15be7e9fdbff831fb3e89b83cc337a4f85ad3310", "status": "affected", "versionType": "git"}, {"version": "eb1ac9ff6c4a5720b1a1476233be374c5dc44bff", "lessThan": "3a967c498baa976b11d4800dda224c507416e97c", "status": "affected", "versionType": "git"}, {"version": "eb1ac9ff6c4a5720b1a1476233be374c5dc44bff", "lessThan": "f723ccaff2fb72b71ae8a9fd283f0dee4d9ae7a3", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv6/anycast.c"], "versions": [{"version": "6.17", "status": "affected"}, {"version": "0", "lessThan": "6.17", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.36", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.13", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17", "versionEndExcluding": "6.18.36"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17", "versionEndExcluding": "7.0.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17", "versionEndExcluding": "7.1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/15be7e9fdbff831fb3e89b83cc337a4f85ad3310"}, {"url": "https://git.kernel.org/stable/c/3a967c498baa976b11d4800dda224c507416e97c"}, {"url": "https://git.kernel.org/stable/c/f723ccaff2fb72b71ae8a9fd283f0dee4d9ae7a3"}], "title": "ipv6: anycast: insert aca into global hash under idev->lock", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{}

{"bugzilla": {"description": "kernel: ipv6: anycast: insert aca into global hash under idev->lock", "id": "2492850", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492850"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-366", "details": ["A flaw was found in the Linux kernel, specifically within its management of IPv6 anycast addresses. A timing issue, known as a race condition, can occur when these addresses are added and removed from a system's internal list. This can lead to the system attempting to access memory that has already been released, a condition known as a use-after-free. Such an issue could potentially cause system instability or a denial of service (DoS), making the system unavailable to users."], "name": "CVE-2026-53259", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-06-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-53259\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-53259\nhttps://lore.kernel.org/linux-cve-announce/2026062515-CVE-2026-53259-5758@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[eb1ac9ff6c4a5720b1a1476233be374c5dc44bff,15be7e9fdbff831fb3e89b83cc337a4f85ad3310)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[eb1ac9ff6c4a5720b1a1476233be374c5dc44bff,3a967c498baa976b11d4800dda224c507416e97c)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[eb1ac9ff6c4a5720b1a1476233be374c5dc44bff,f723ccaff2fb72b71ae8a9fd283f0dee4d9ae7a3)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.17"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.17)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.36,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0.13,7.1.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.1,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "created": "2026-06-25T12:00:13.997026+00:00", "updated": "2026-06-26T05:30:17.421667+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}