net/sched: act_api: use RCU with deferred freeing for action lifecycle

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-53264
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-06-25 09:16:44 UTC
Updated2026-06-25 09:16:44 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: net/sched: act_api: use RCU with deferred freeing for action lifecycle When NEWTFILTER and DELFILTER are run concurrently it is possible to create a race with an associated action. Let's illustrate with CPU0 running NEWTFILTER and CPU1 running DELFILTER: 0: mutex_lock() <-- holds the idr lock 0: rcu_read_lock() 0: p = idr_find(idr, index) <-- action p is valid (RCU protects IDR) 0: mutex_unlock() <-- releases the idr lock 1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held 1: idr_remove(idr, index) <-- Action removed from IDR 1: mutex_unlock() <-- mutex released allowing us to delete the action 1: tcf_action_cleanup(p); kfree(p) <-- Kfrees p immediately, no deferral 0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- ouch, UAF p points to freed memory This patch fixes the race condition between NEWTFILTER and DELFILTER by adding struct rcu_head to tc_action used in the deferral and introducing a call_rcu() in the delete path to defer the final kfree(). Note: this is a revert of commit d7fb60b9cafb ("net_sched: get rid of tcfa_rcu") but also modernization/simplification to directly use kfree_rcu(). Let's illustrate the new restored code path: 0: rcu_read_lock() 1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held 1: idr_remove(idr, index) 1: mutex_unlock() 1: call_rcu(&p->tcfa_rcu, tcf_action_rcu_free) <-- defer kfree after grace period 0: p = idr_find(idr, index) 0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- fails, refcnt already 0 1: rcu_read_unlock() <-- release so freeing can run after grace period After CPU1 calls idr_remove(), the object is no longer reachable through the IDR. CPU0's subsequent idr_find() will return NULL, and even if it still held a stale pointer, the immediate kfree() is now deferred until after the RCU grace period, so no UAF can occur.

Risk And Classification

EPSS: 0.001720000 probability, percentile 0.068730000 (date 2026-06-26)

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da 98b2e40879abf0245be5a5b7af69e0f6ff524ac3 git Not specified
CNA Linux Linux affected d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da 18af5d2ef0c4f65787fd1280c8b23286b9f2a835 git Not specified
CNA Linux Linux affected d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da 1f1b98fea6b9ea30507d0f2fbff6750292d097e2 git Not specified
CNA Linux Linux affected d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da 8b136f18ac4b2ace5aaad3305b3f8a5d8165a009 git Not specified
CNA Linux Linux affected d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da 5dd51e09020c65aa53cf128e5e3517cd53b3c113 git Not specified
CNA Linux Linux affected d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da b60e9391142e983fab2be53497aa8f71fdd09cd5 git Not specified
CNA Linux Linux affected d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da 91d105d2cbe002f9c7b43a6183adedc37e1da1f7 git Not specified
CNA Linux Linux affected d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da 5057e1aca011e51ef51498c940ef96f3d3e8a305 git Not specified
CNA Linux Linux affected 4.14 Not specified
CNA Linux Linux unaffected 4.14 semver Not specified
CNA Linux Linux unaffected 5.10.259 5.10.* semver Not specified
CNA Linux Linux unaffected 5.15.210 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.176 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.143 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.94 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.36 6.18.* semver Not specified
CNA Linux Linux unaffected 7.0.13 7.0.* semver Not specified
CNA Linux Linux unaffected 7.1 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/5dd51e09020c65aa53cf128e5e3517cd53b3c113 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/98b2e40879abf0245be5a5b7af69e0f6ff524ac3 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/18af5d2ef0c4f65787fd1280c8b23286b9f2a835 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/5057e1aca011e51ef51498c940ef96f3d3e8a305 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/1f1b98fea6b9ea30507d0f2fbff6750292d097e2 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/b60e9391142e983fab2be53497aa8f71fdd09cd5 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/8b136f18ac4b2ace5aaad3305b3f8a5d8165a009 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/91d105d2cbe002f9c7b43a6183adedc37e1da1f7 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report