NVD

CVE-2026-53175 Detail

Received

This CVE record has recently been published to the CVE List and has been included within the NVD dataset.

Description

In the Linux kernel, the following vulnerability has been resolved: inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush On netns teardown, fqdir_pre_exit() walks the fqdir rhashtable and flushes every fragment queue that is not yet complete using inet_frag_queue_flush(). That helper frees all the skbs queued on the fragment queue but does not set INET_FRAG_COMPLETE, and leaves q->fragments_tail and q->last_run_head pointing at the freed skbs. The queue itself stays in the rhashtable. fqdir_pre_exit() first lowers high_thresh to 0 to stop new queue lookups, but it cannot stop a fragment that already obtained the queue through inet_frag_find() earlier and stalled just before taking the queue lock. Once that fragment resumes after the flush and takes the queue lock, it passes the INET_FRAG_COMPLETE check and then dereferences the freed fragments_tail. inet_frag_queue_insert() reads FRAG_CB() and ->len of that pointer and, on the append path, writes ->next_frag, causing a slab use-after-free. IPv6, nf_conntrack_reasm6 and 6lowpan reassembly share the same flush path and are affected as well. Reset rb_fragments, fragments_tail and last_run_head in inet_frag_queue_flush() so a flushed queue no longer points at the freed skbs. A fragment that resumes after the flush and takes the queue lock then finds an empty queue and starts a new run instead of dereferencing the freed fragments_tail. ip_frag_reinit() already performed this reset after its own flush, so drop the now duplicate code there.

Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

CVSS 2.0 Severity and Vector Strings:

National Institute of Standards and Technology

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL	Source(s)	Tag(s)
https://git.kernel.org/stable/c/010c3313a4d178dc2d3ce958d2e5cb055e2864c1	kernel.org
https://git.kernel.org/stable/c/0e823ca0e7391630784ae7dd0981b7ad170a93d9	kernel.org
https://git.kernel.org/stable/c/32594b09854970d7ba83eb2dc8c69a2edd158c8e	kernel.org
https://git.kernel.org/stable/c/89b909e9704587bfecc1aab1d37e98faee03b9f9	kernel.org
https://git.kernel.org/stable/c/c22599cc90e1cd5f8129c8670bd68a02ff7177b4	kernel.org

Weakness Enumeration

CWE-ID	CWE Name	Source

Change History

1 change records found show changes

New CVE Received from kernel.org 6/25/2026 5:16:34 AM

Action	Type	New Value
Added	Description	In the Linux kernel, the following vulnerability has been resolved: inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush On netns teardown, fqdir_pre_exit() walks the fqdir rhashtable and flushes every fragment queue that is not yet complete using inet_frag_queue_flush(). That helper frees all the skbs queued on the fragment queue but does not set INET_FRAG_COMPLETE, and leaves q->fragments_tail and q->last_run_head pointing at the freed skbs. The queue itself stays in the rhashtable. fqdir_pre_exit() first lowers high_thresh to 0 to stop new queue lookups, but it cannot stop a fragment that already obtained the queue through inet_frag_find() earlier and stalled just before taking the queue lock. Once that fragment resumes after the flush and takes the queue lock, it passes the INET_FRAG_COMPLETE check and then dereferences the freed fragments_tail. inet_frag_queue_insert() reads FRAG_CB() and ->len of that pointer and, on the append path, writes ->next_frag, causing a slab use-after-free. IPv6, nf_conntrack_reasm6 and 6lowpan reassembly share the same flush path and are affected as well. Reset rb_fragments, fragments_tail and last_run_head in inet_frag_queue_flush() so a flushed queue no longer points at the freed skbs. A fragment that resumes after the flush and takes the queue lock then finds an empty queue and starts a new run instead of dereferencing the freed fragments_tail. ip_frag_reinit() already performed this reset after its own flush, so drop the now duplicate code there.
Added	Reference	https://git.kernel.org/stable/c/010c3313a4d178dc2d3ce958d2e5cb055e2864c1
Added	Reference	https://git.kernel.org/stable/c/0e823ca0e7391630784ae7dd0981b7ad170a93d9
Added	Reference	https://git.kernel.org/stable/c/32594b09854970d7ba83eb2dc8c69a2edd158c8e
Added	Reference	https://git.kernel.org/stable/c/89b909e9704587bfecc1aab1d37e98faee03b9f9
Added	Reference	https://git.kernel.org/stable/c/c22599cc90e1cd5f8129c8670bd68a02ff7177b4
Added	Affected	[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["net/ipv4/inet_fragment.c","net/ipv4/ip_fragment.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"22ee4010866da81aeee08e1ea3fddbe418feb212","lessThan":"0e823ca0e7391630784ae7dd0981b7ad170a93d9","versionType":"git","status":"affected"},{"version":"543555954b1ee8d1903a7020324efb41b0c97428","lessThan":"c22599cc90e1cd5f8129c8670bd68a02ff7177b4","versionType":"git","status":"affected"},{"version":"c70df25214ac9b32b53e18e6ae3b8f073ffa6903","lessThan":"89b909e9704587bfecc1aab1d37e98faee03b9f9","versionType":"git","status":"affected"},{"version":"006a5035b495dec008805df249f92c22c89c3d2e","lessThan":"010c3313a4d178dc2d3ce958d2e5cb055e2864c1","versionType":"git","status":"affected"},{"version":"006a5035b495dec008805df249f92c22c89c3d2e","lessThan":"32594b09854970d7ba83eb2dc8c69a2edd158c8e","versionType":"git","status":"affected"},{"version":"6.12.93","lessThan":"6.12.94","versionType":"semver","status":"affected"},{"version":"6.18.3","lessThan":"6.18.36","versionType":"semver","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["net/ipv4/inet_fragment.c","net/ipv4/ip_fragment.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.19","status":"affected"},{"version":"0","lessThan":"6.19","versionType":"semver","status":"unaffected"},{"version":"6.12.94","lessThanOrEqual":"6.12.","versionType":"semver","status":"unaffected"},{"version":"6.18.36","lessThanOrEqual":"6.18.","versionType":"semver","status":"unaffected"},{"version":"7.0.13","lessThanOrEqual":"7.0.","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"","versionType":"original_commit_for_fix","status":"unaffected"}]}]

Quick Info

CVE Dictionary Entry:
CVE-2026-53175
NVD Published Date:
06/25/2026
NVD Last Modified:
06/25/2026
Source:
kernel.org

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

CVE-2026-53175 Detail

Description

Metrics

References to Advisories, Solutions, and Tools

Weakness Enumeration

Change History

New CVE Received from kernel.org 6/25/2026 5:16:34 AM

Quick Info