U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Vulnerability Change Records for CVE-2026-53239

Change History

New CVE Received from kernel.org 6/25/2026 5:16:41 AM

Action Type Old Value New Value
Added Description

                  
                
              
In the Linux kernel, the following vulnerability has been resolved:

xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()

Fix the race by pruning the bin while still holding xfrm_policy_lock,
before dropping it. Use __xfrm_policy_inexact_prune_bin() directly since
the lock is already held. The wrapper xfrm_policy_inexact_prune_bin()
becomes unused and is removed.

Race:

  CPU0 (XFRM_MSG_DELPOLICY)           CPU1 (XFRM_MSG_NEWSPDINFO)
  ==========================          ==========================
  xfrm_policy_bysel_ctx():
    spin_lock_bh(xfrm_policy_lock)
    bin = xfrm_policy_inexact_lookup()
    __xfrm_policy_unlink(pol)
    spin_unlock_bh(xfrm_policy_lock)
    xfrm_policy_kill(ret)
    // wide window, lock not held
                                       xfrm_hash_rebuild():
                                         spin_lock_bh(xfrm_policy_lock)
                                         __xfrm_policy_inexact_flush():
                                           kfree_rcu(bin)  // bin freed
                                         spin_unlock_bh(xfrm_policy_lock)
    xfrm_policy_inexact_prune_bin(bin)
    // UAF: bin is freed
Added Reference

                  
                
              
https://git.kernel.org/stable/c/25c8c7fb3b0b9668c7d05e209f58c158d2b020c7
Added Reference

                  
                
              
https://git.kernel.org/stable/c/42827d03f8009a6a218bacab153e21f39d6a121c
Added Reference

                  
                
              
https://git.kernel.org/stable/c/7f2d76c9c03257c0782afef9d95321fa04096f60
Added Reference

                  
                
              
https://git.kernel.org/stable/c/88697cf980222d5906a37bf47662dac0732e2a0f
Added Reference

                  
                
              
https://git.kernel.org/stable/c/8fc536e9f6856230f19c7d13e71af064b6a77b22
Added Reference

                  
                
              
https://git.kernel.org/stable/c/b5316e2b8614a87d8736941972441cb47bfd4491
Added Reference

                  
                
              
https://git.kernel.org/stable/c/c4c1ea36d83bf3c4569468ca5b8b614fda1bf821
Added Reference

                  
                
              
https://git.kernel.org/stable/c/ec82ea4eb220164d854f8734ca5a35e23e577b94
Added Affected

                  
                
              
[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["net/xfrm/xfrm_policy.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6be3b0db6db82cf056a72cc18042048edd27f8ee","lessThan":"8fc536e9f6856230f19c7d13e71af064b6a77b22","versionType":"git","status":"affected"},{"version":"6be3b0db6db82cf056a72cc18042048edd27f8ee","lessThan":"c4c1ea36d83bf3c4569468ca5b8b614fda1bf821","versionType":"git","status":"affected"},{"version":"6be3b0db6db82cf056a72cc18042048edd27f8ee","lessThan":"25c8c7fb3b0b9668c7d05e209f58c158d2b020c7","versionType":"git","status":"affected"},{"version":"6be3b0db6db82cf056a72cc18042048edd27f8ee","lessThan":"42827d03f8009a6a218bacab153e21f39d6a121c","versionType":"git","status":"affected"},{"version":"6be3b0db6db82cf056a72cc18042048edd27f8ee","lessThan":"88697cf980222d5906a37bf47662dac0732e2a0f","versionType":"git","status":"affected"},{"version":"6be3b0db6db82cf056a72cc18042048edd27f8ee","lessThan":"b5316e2b8614a87d8736941972441cb47bfd4491","versionType":"git","status":"affected"},{"version":"6be3b0db6db82cf056a72cc18042048edd27f8ee","lessThan":"ec82ea4eb220164d854f8734ca5a35e23e577b94","versionType":"git","status":"affected"},{"version":"6be3b0db6db82cf056a72cc18042048edd27f8ee","lessThan":"7f2d76c9c03257c0782afef9d95321fa04096f60","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["net/xfrm/xfrm_policy.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.0","status":"affected"},{"version":"0","lessThan":"5.0","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.94","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.36","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.13","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]