{"api_version":"1","generated_at":"2026-06-25T16:12:52+00:00","cve":"CVE-2026-53262","urls":{"html":"https://cve.report/CVE-2026-53262","api":"https://cve.report/api/cve/CVE-2026-53262.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-53262","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-53262"},"summary":{"title":"l2tp: pppol2tp: hold reference to session in pppol2tp_ioctl()","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: pppol2tp: hold reference to session in pppol2tp_ioctl()\n\npppol2tp_ioctl() read sock->sk->sk_user_data directly without any\nlocks or reference counting.  If a controllable sleep was induced during\ncopy_from_user() (e.g. via a userfaultfd page fault sleep), a concurrent\nsocket close could trigger pppol2tp_session_close() asynchronously.  This\nfrees the l2tp_session structure via the l2tp_session_del_work workqueue.\nUpon resuming, the ioctl thread dereferences the stale session pointer,\nresulting in a Use-After-Free (UAF).\n\nFix this by securely fetching the session reference using the RCU-safe,\nrefcounted helper pppol2tp_sock_to_session(sk) on entry.  This locks the\nsession's refcount across the sleep.  We structured the function to exit\nvia standard err breaks, guaranteeing that l2tp_session_put() is cleanly\ncalled on all return paths to drop the reference.\n\nTo preserve existing behavior we validate the session and its magic\nsignature only for the specific L2TP commands that require it.  This\nensures that generic/unknown ioctls called on an unconnected socket\nstill return -ENOIOCTLCMD and correctly fall back to generic handlers\n(e.g. in sock_do_ioctl()).","state":"PUBLISHED","assigner":"Linux","published_at":"2026-06-25 09:16:44","updated_at":"2026-06-25 09:16:44"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/a213a8950414c684999dcf03edeea6c46ede172e","name":"https://git.kernel.org/stable/c/a213a8950414c684999dcf03edeea6c46ede172e","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/e251d4cdfc725c9e7d686161e3b775a0e7d95053","name":"https://git.kernel.org/stable/c/e251d4cdfc725c9e7d686161e3b775a0e7d95053","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/78cdfdca88cbf731a92f3b9ee5427c633dd94e28","name":"https://git.kernel.org/stable/c/78cdfdca88cbf731a92f3b9ee5427c633dd94e28","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/62f327e287cf7b595ae3f73ba72f5cd2a9e9f39f","name":"https://git.kernel.org/stable/c/62f327e287cf7b595ae3f73ba72f5cd2a9e9f39f","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-53262","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53262","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected fd558d186df2c13a22455373858bae634a4795af 78cdfdca88cbf731a92f3b9ee5427c633dd94e28 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected fd558d186df2c13a22455373858bae634a4795af e251d4cdfc725c9e7d686161e3b775a0e7d95053 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected fd558d186df2c13a22455373858bae634a4795af 62f327e287cf7b595ae3f73ba72f5cd2a9e9f39f git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected fd558d186df2c13a22455373858bae634a4795af a213a8950414c684999dcf03edeea6c46ede172e git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 2.6.35","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 2.6.35 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.94 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.36 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.13 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["net/l2tp/l2tp_ppp.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"78cdfdca88cbf731a92f3b9ee5427c633dd94e28","status":"affected","version":"fd558d186df2c13a22455373858bae634a4795af","versionType":"git"},{"lessThan":"e251d4cdfc725c9e7d686161e3b775a0e7d95053","status":"affected","version":"fd558d186df2c13a22455373858bae634a4795af","versionType":"git"},{"lessThan":"62f327e287cf7b595ae3f73ba72f5cd2a9e9f39f","status":"affected","version":"fd558d186df2c13a22455373858bae634a4795af","versionType":"git"},{"lessThan":"a213a8950414c684999dcf03edeea6c46ede172e","status":"affected","version":"fd558d186df2c13a22455373858bae634a4795af","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["net/l2tp/l2tp_ppp.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"2.6.35"},{"lessThan":"2.6.35","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.94","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.36","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.13","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.94","versionStartIncluding":"2.6.35","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.36","versionStartIncluding":"2.6.35","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.13","versionStartIncluding":"2.6.35","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1","versionStartIncluding":"2.6.35","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: pppol2tp: hold reference to session in pppol2tp_ioctl()\n\npppol2tp_ioctl() read sock->sk->sk_user_data directly without any\nlocks or reference counting.  If a controllable sleep was induced during\ncopy_from_user() (e.g. via a userfaultfd page fault sleep), a concurrent\nsocket close could trigger pppol2tp_session_close() asynchronously.  This\nfrees the l2tp_session structure via the l2tp_session_del_work workqueue.\nUpon resuming, the ioctl thread dereferences the stale session pointer,\nresulting in a Use-After-Free (UAF).\n\nFix this by securely fetching the session reference using the RCU-safe,\nrefcounted helper pppol2tp_sock_to_session(sk) on entry.  This locks the\nsession's refcount across the sleep.  We structured the function to exit\nvia standard err breaks, guaranteeing that l2tp_session_put() is cleanly\ncalled on all return paths to drop the reference.\n\nTo preserve existing behavior we validate the session and its magic\nsignature only for the specific L2TP commands that require it.  This\nensures that generic/unknown ioctls called on an unconnected socket\nstill return -ENOIOCTLCMD and correctly fall back to generic handlers\n(e.g. in sock_do_ioctl())."}],"providerMetadata":{"dateUpdated":"2026-06-25T08:39:50.550Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/78cdfdca88cbf731a92f3b9ee5427c633dd94e28"},{"url":"https://git.kernel.org/stable/c/e251d4cdfc725c9e7d686161e3b775a0e7d95053"},{"url":"https://git.kernel.org/stable/c/62f327e287cf7b595ae3f73ba72f5cd2a9e9f39f"},{"url":"https://git.kernel.org/stable/c/a213a8950414c684999dcf03edeea6c46ede172e"}],"title":"l2tp: pppol2tp: hold reference to session in pppol2tp_ioctl()","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-53262","datePublished":"2026-06-25T08:39:50.550Z","dateReserved":"2026-06-09T07:44:35.394Z","dateUpdated":"2026-06-25T08:39:50.550Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-25 09:16:44","lastModifiedDate":"2026-06-25 09:16:44","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"53262","Ordinal":"1","Title":"l2tp: pppol2tp: hold reference to session in pppol2tp_ioctl()","CVE":"CVE-2026-53262","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"53262","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: pppol2tp: hold reference to session in pppol2tp_ioctl()\n\npppol2tp_ioctl() read sock->sk->sk_user_data directly without any\nlocks or reference counting.  If a controllable sleep was induced during\ncopy_from_user() (e.g. via a userfaultfd page fault sleep), a concurrent\nsocket close could trigger pppol2tp_session_close() asynchronously.  This\nfrees the l2tp_session structure via the l2tp_session_del_work workqueue.\nUpon resuming, the ioctl thread dereferences the stale session pointer,\nresulting in a Use-After-Free (UAF).\n\nFix this by securely fetching the session reference using the RCU-safe,\nrefcounted helper pppol2tp_sock_to_session(sk) on entry.  This locks the\nsession's refcount across the sleep.  We structured the function to exit\nvia standard err breaks, guaranteeing that l2tp_session_put() is cleanly\ncalled on all return paths to drop the reference.\n\nTo preserve existing behavior we validate the session and its magic\nsignature only for the specific L2TP commands that require it.  This\nensures that generic/unknown ioctls called on an unconnected socket\nstill return -ENOIOCTLCMD and correctly fall back to generic handlers\n(e.g. in sock_do_ioctl()).","Type":"Description","Title":"l2tp: pppol2tp: hold reference to session in pppol2tp_ioctl()"}]}}}