inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-53175
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-06-25 09:16:34 UTC
Updated2026-06-25 09:16:34 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush On netns teardown, fqdir_pre_exit() walks the fqdir rhashtable and flushes every fragment queue that is not yet complete using inet_frag_queue_flush(). That helper frees all the skbs queued on the fragment queue but does not set INET_FRAG_COMPLETE, and leaves q->fragments_tail and q->last_run_head pointing at the freed skbs. The queue itself stays in the rhashtable. fqdir_pre_exit() first lowers high_thresh to 0 to stop new queue lookups, but it cannot stop a fragment that already obtained the queue through inet_frag_find() earlier and stalled just before taking the queue lock. Once that fragment resumes after the flush and takes the queue lock, it passes the INET_FRAG_COMPLETE check and then dereferences the freed fragments_tail. inet_frag_queue_insert() reads FRAG_CB() and ->len of that pointer and, on the append path, writes ->next_frag, causing a slab use-after-free. IPv6, nf_conntrack_reasm6 and 6lowpan reassembly share the same flush path and are affected as well. Reset rb_fragments, fragments_tail and last_run_head in inet_frag_queue_flush() so a flushed queue no longer points at the freed skbs. A fragment that resumes after the flush and takes the queue lock then finds an empty queue and starts a new run instead of dereferencing the freed fragments_tail. ip_frag_reinit() already performed this reset after its own flush, so drop the now duplicate code there.

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 22ee4010866da81aeee08e1ea3fddbe418feb212 0e823ca0e7391630784ae7dd0981b7ad170a93d9 git Not specified
CNA Linux Linux affected 543555954b1ee8d1903a7020324efb41b0c97428 c22599cc90e1cd5f8129c8670bd68a02ff7177b4 git Not specified
CNA Linux Linux affected c70df25214ac9b32b53e18e6ae3b8f073ffa6903 89b909e9704587bfecc1aab1d37e98faee03b9f9 git Not specified
CNA Linux Linux affected 006a5035b495dec008805df249f92c22c89c3d2e 010c3313a4d178dc2d3ce958d2e5cb055e2864c1 git Not specified
CNA Linux Linux affected 006a5035b495dec008805df249f92c22c89c3d2e 32594b09854970d7ba83eb2dc8c69a2edd158c8e git Not specified
CNA Linux Linux affected 6.12.93 6.12.94 semver Not specified
CNA Linux Linux affected 6.18.3 6.18.36 semver Not specified
CNA Linux Linux affected 6.19 Not specified
CNA Linux Linux unaffected 6.19 semver Not specified
CNA Linux Linux unaffected 6.12.94 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.36 6.18.* semver Not specified
CNA Linux Linux unaffected 7.0.13 7.0.* semver Not specified
CNA Linux Linux unaffected 7.1 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/0e823ca0e7391630784ae7dd0981b7ad170a93d9 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/c22599cc90e1cd5f8129c8670bd68a02ff7177b4 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/010c3313a4d178dc2d3ce958d2e5cb055e2864c1 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/89b909e9704587bfecc1aab1d37e98faee03b9f9 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/32594b09854970d7ba83eb2dc8c69a2edd158c8e 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report