{"api_version":"1","generated_at":"2026-06-27T07:37:24+00:00","cve":"CVE-2026-53264","urls":{"html":"https://cve.report/CVE-2026-53264","api":"https://cve.report/api/cve/CVE-2026-53264.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-53264","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-53264"},"summary":{"title":"net/sched: act_api: use RCU with deferred freeing for action lifecycle","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_api: use RCU with deferred freeing for action lifecycle\n\nWhen NEWTFILTER and DELFILTER are run concurrently it is possible to create a\nrace with an associated action.\n\nLet's illustrate with CPU0 running NEWTFILTER and CPU1 running DELFILTER:\n\n 0: mutex_lock() <-- holds the idr lock\n 0: rcu_read_lock()\n 0: p = idr_find(idr, index) <-- action p is valid (RCU protects IDR)\n 0: mutex_unlock() <-- releases the idr lock\n 1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held\n 1: idr_remove(idr, index) <-- Action removed from IDR\n 1: mutex_unlock() <-- mutex released allowing us to delete the action\n 1: tcf_action_cleanup(p); kfree(p) <-- Kfrees p immediately, no deferral\n 0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- ouch, UAF p points to freed memory\n\nThis patch fixes the race condition between NEWTFILTER and DELFILTER by\nadding struct rcu_head to tc_action used in the deferral and introducing a\ncall_rcu() in the delete path to defer the final kfree().\n\nNote: this is a revert of commit d7fb60b9cafb (\"net_sched: get rid of tcfa_rcu\")\nbut also modernization/simplification to directly use kfree_rcu().\n\nLet's illustrate the new restored code path:\n\n 0: rcu_read_lock()\n 1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held\n 1: idr_remove(idr, index)\n 1: mutex_unlock()\n 1: call_rcu(&p->tcfa_rcu, tcf_action_rcu_free) <-- defer kfree after grace period\n 0: p = idr_find(idr, index)\n 0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- fails, refcnt already 0\n 1: rcu_read_unlock() <-- release so freeing can run after grace period\n\nAfter CPU1 calls idr_remove(), the object is no longer reachable through the IDR.\nCPU0's subsequent idr_find() will return NULL, and even if it still held a\nstale pointer, the immediate kfree() is now deferred until after the RCU grace\nperiod, so no UAF can occur.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-06-25 09:16:44","updated_at":"2026-06-25 09:16:44"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/5dd51e09020c65aa53cf128e5e3517cd53b3c113","name":"https://git.kernel.org/stable/c/5dd51e09020c65aa53cf128e5e3517cd53b3c113","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/98b2e40879abf0245be5a5b7af69e0f6ff524ac3","name":"https://git.kernel.org/stable/c/98b2e40879abf0245be5a5b7af69e0f6ff524ac3","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/18af5d2ef0c4f65787fd1280c8b23286b9f2a835","name":"https://git.kernel.org/stable/c/18af5d2ef0c4f65787fd1280c8b23286b9f2a835","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/5057e1aca011e51ef51498c940ef96f3d3e8a305","name":"https://git.kernel.org/stable/c/5057e1aca011e51ef51498c940ef96f3d3e8a305","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/1f1b98fea6b9ea30507d0f2fbff6750292d097e2","name":"https://git.kernel.org/stable/c/1f1b98fea6b9ea30507d0f2fbff6750292d097e2","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/b60e9391142e983fab2be53497aa8f71fdd09cd5","name":"https://git.kernel.org/stable/c/b60e9391142e983fab2be53497aa8f71fdd09cd5","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/8b136f18ac4b2ace5aaad3305b3f8a5d8165a009","name":"https://git.kernel.org/stable/c/8b136f18ac4b2ace5aaad3305b3f8a5d8165a009","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/91d105d2cbe002f9c7b43a6183adedc37e1da1f7","name":"https://git.kernel.org/stable/c/91d105d2cbe002f9c7b43a6183adedc37e1da1f7","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-53264","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53264","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da 98b2e40879abf0245be5a5b7af69e0f6ff524ac3 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da 18af5d2ef0c4f65787fd1280c8b23286b9f2a835 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da 1f1b98fea6b9ea30507d0f2fbff6750292d097e2 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da 8b136f18ac4b2ace5aaad3305b3f8a5d8165a009 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da 5dd51e09020c65aa53cf128e5e3517cd53b3c113 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da b60e9391142e983fab2be53497aa8f71fdd09cd5 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da 91d105d2cbe002f9c7b43a6183adedc37e1da1f7 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da 5057e1aca011e51ef51498c940ef96f3d3e8a305 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 4.14","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 4.14 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.259 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.210 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.176 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.143 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.94 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.36 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.13 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"53264","cve":"CVE-2026-53264","epss":"0.001720000","percentile":"0.068730000","score_date":"2026-06-26","updated_at":"2026-06-27 00:07:46"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["include/net/act_api.h","net/sched/act_api.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"98b2e40879abf0245be5a5b7af69e0f6ff524ac3","status":"affected","version":"d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da","versionType":"git"},{"lessThan":"18af5d2ef0c4f65787fd1280c8b23286b9f2a835","status":"affected","version":"d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da","versionType":"git"},{"lessThan":"1f1b98fea6b9ea30507d0f2fbff6750292d097e2","status":"affected","version":"d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da","versionType":"git"},{"lessThan":"8b136f18ac4b2ace5aaad3305b3f8a5d8165a009","status":"affected","version":"d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da","versionType":"git"},{"lessThan":"5dd51e09020c65aa53cf128e5e3517cd53b3c113","status":"affected","version":"d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da","versionType":"git"},{"lessThan":"b60e9391142e983fab2be53497aa8f71fdd09cd5","status":"affected","version":"d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da","versionType":"git"},{"lessThan":"91d105d2cbe002f9c7b43a6183adedc37e1da1f7","status":"affected","version":"d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da","versionType":"git"},{"lessThan":"5057e1aca011e51ef51498c940ef96f3d3e8a305","status":"affected","version":"d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["include/net/act_api.h","net/sched/act_api.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"4.14"},{"lessThan":"4.14","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.259","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.210","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.176","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.143","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.94","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.36","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.13","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.259","versionStartIncluding":"4.14","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.210","versionStartIncluding":"4.14","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.176","versionStartIncluding":"4.14","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.143","versionStartIncluding":"4.14","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.94","versionStartIncluding":"4.14","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.36","versionStartIncluding":"4.14","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.13","versionStartIncluding":"4.14","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1","versionStartIncluding":"4.14","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_api: use RCU with deferred freeing for action lifecycle\n\nWhen NEWTFILTER and DELFILTER are run concurrently it is possible to create a\nrace with an associated action.\n\nLet's illustrate with CPU0 running NEWTFILTER and CPU1 running DELFILTER:\n\n 0: mutex_lock() <-- holds the idr lock\n 0: rcu_read_lock()\n 0: p = idr_find(idr, index) <-- action p is valid (RCU protects IDR)\n 0: mutex_unlock() <-- releases the idr lock\n 1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held\n 1: idr_remove(idr, index) <-- Action removed from IDR\n 1: mutex_unlock() <-- mutex released allowing us to delete the action\n 1: tcf_action_cleanup(p); kfree(p) <-- Kfrees p immediately, no deferral\n 0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- ouch, UAF p points to freed memory\n\nThis patch fixes the race condition between NEWTFILTER and DELFILTER by\nadding struct rcu_head to tc_action used in the deferral and introducing a\ncall_rcu() in the delete path to defer the final kfree().\n\nNote: this is a revert of commit d7fb60b9cafb (\"net_sched: get rid of tcfa_rcu\")\nbut also modernization/simplification to directly use kfree_rcu().\n\nLet's illustrate the new restored code path:\n\n 0: rcu_read_lock()\n 1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held\n 1: idr_remove(idr, index)\n 1: mutex_unlock()\n 1: call_rcu(&p->tcfa_rcu, tcf_action_rcu_free) <-- defer kfree after grace period\n 0: p = idr_find(idr, index)\n 0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- fails, refcnt already 0\n 1: rcu_read_unlock() <-- release so freeing can run after grace period\n\nAfter CPU1 calls idr_remove(), the object is no longer reachable through the IDR.\nCPU0's subsequent idr_find() will return NULL, and even if it still held a\nstale pointer, the immediate kfree() is now deferred until after the RCU grace\nperiod, so no UAF can occur."}],"providerMetadata":{"dateUpdated":"2026-06-25T08:39:51.870Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/98b2e40879abf0245be5a5b7af69e0f6ff524ac3"},{"url":"https://git.kernel.org/stable/c/18af5d2ef0c4f65787fd1280c8b23286b9f2a835"},{"url":"https://git.kernel.org/stable/c/1f1b98fea6b9ea30507d0f2fbff6750292d097e2"},{"url":"https://git.kernel.org/stable/c/8b136f18ac4b2ace5aaad3305b3f8a5d8165a009"},{"url":"https://git.kernel.org/stable/c/5dd51e09020c65aa53cf128e5e3517cd53b3c113"},{"url":"https://git.kernel.org/stable/c/b60e9391142e983fab2be53497aa8f71fdd09cd5"},{"url":"https://git.kernel.org/stable/c/91d105d2cbe002f9c7b43a6183adedc37e1da1f7"},{"url":"https://git.kernel.org/stable/c/5057e1aca011e51ef51498c940ef96f3d3e8a305"}],"title":"net/sched: act_api: use RCU with deferred freeing for action lifecycle","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-53264","datePublished":"2026-06-25T08:39:51.870Z","dateReserved":"2026-06-09T07:44:35.395Z","dateUpdated":"2026-06-25T08:39:51.870Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-25 09:16:44","lastModifiedDate":"2026-06-25 09:16:44","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"53264","Ordinal":"1","Title":"net/sched: act_api: use RCU with deferred freeing for action lif","CVE":"CVE-2026-53264","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"53264","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_api: use RCU with deferred freeing for action lifecycle\n\nWhen NEWTFILTER and DELFILTER are run concurrently it is possible to create a\nrace with an associated action.\n\nLet's illustrate with CPU0 running NEWTFILTER and CPU1 running DELFILTER:\n\n 0: mutex_lock() <-- holds the idr lock\n 0: rcu_read_lock()\n 0: p = idr_find(idr, index) <-- action p is valid (RCU protects IDR)\n 0: mutex_unlock() <-- releases the idr lock\n 1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held\n 1: idr_remove(idr, index) <-- Action removed from IDR\n 1: mutex_unlock() <-- mutex released allowing us to delete the action\n 1: tcf_action_cleanup(p); kfree(p) <-- Kfrees p immediately, no deferral\n 0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- ouch, UAF p points to freed memory\n\nThis patch fixes the race condition between NEWTFILTER and DELFILTER by\nadding struct rcu_head to tc_action used in the deferral and introducing a\ncall_rcu() in the delete path to defer the final kfree().\n\nNote: this is a revert of commit d7fb60b9cafb (\"net_sched: get rid of tcfa_rcu\")\nbut also modernization/simplification to directly use kfree_rcu().\n\nLet's illustrate the new restored code path:\n\n 0: rcu_read_lock()\n 1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held\n 1: idr_remove(idr, index)\n 1: mutex_unlock()\n 1: call_rcu(&p->tcfa_rcu, tcf_action_rcu_free) <-- defer kfree after grace period\n 0: p = idr_find(idr, index)\n 0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- fails, refcnt already 0\n 1: rcu_read_unlock() <-- release so freeing can run after grace period\n\nAfter CPU1 calls idr_remove(), the object is no longer reachable through the IDR.\nCPU0's subsequent idr_find() will return NULL, and even if it still held a\nstale pointer, the immediate kfree() is now deferred until after the RCU grace\nperiod, so no UAF can occur.","Type":"Description","Title":"net/sched: act_api: use RCU with deferred freeing for action lif"}]}}}