CVE-2026-53239 in Linux
Summary
by MITRE • 06/25/2026
In the Linux kernel, the following vulnerability has been resolved:
xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()
Fix the race by pruning the bin while still holding xfrm_policy_lock, before dropping it. Use __xfrm_policy_inexact_prune_bin() directly since the lock is already held. The wrapper xfrm_policy_inexact_prune_bin() becomes unused and is removed.
Race:
CPU0 (XFRM_MSG_DELPOLICY) CPU1 (XFRM_MSG_NEWSPDINFO) ========================== ========================== xfrm_policy_bysel_ctx(): spin_lock_bh(xfrm_policy_lock) bin = xfrm_policy_inexact_lookup() __xfrm_policy_unlink(pol) spin_unlock_bh(xfrm_policy_lock) xfrm_policy_kill(ret) // wide window, lock not held xfrm_hash_rebuild(): spin_lock_bh(xfrm_policy_lock) __xfrm_policy_inexact_flush(): kfree_rcu(bin) // bin freed spin_unlock_bh(xfrm_policy_lock) xfrm_policy_inexact_prune_bin(bin) // UAF: bin is freed
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/25/2026
The vulnerability exists within the Linux kernel's IPsec implementation, specifically in the xfrm policy management subsystem where a use-after-free condition can occur during concurrent policy operations. This flaw manifests in the xfrm_policy_bysel_ctx() function when processing XFRM_MSG_DELPOLICY messages while another thread concurrently processes XFRM_MSG_NEWSPDINFO messages. The race condition stems from improper lock management during the policy deletion and hash table rebuilding operations, creating a window where memory allocated to policy bins can be freed while still being referenced by other threads.
The technical flaw occurs due to a missing synchronization point in the policy deletion sequence where the xfrm_policy_lock is released before completing all necessary cleanup operations. During the race condition, CPU0 thread executes xfrm_policy_bysel_ctx() which acquires the lock, performs policy lookup and unlinking operations, then releases the lock before calling xfrm_policy_kill(). Meanwhile CPU1 thread executes xfrm_hash_rebuild() that reacquires the same lock and calls __xfrm_policy_inexact_flush() which frees the bin memory through kfree_rcu(). When CPU0 later calls xfrm_policy_inexact_prune_bin() with the already freed bin pointer, it results in a use-after-free vulnerability that can be exploited to execute arbitrary code or cause system instability.
This vulnerability directly maps to CWE-416, Use After Free, and aligns with ATT&CK technique T1059.007 for execution through kernel exploits. The operational impact includes potential privilege escalation, denial of service attacks, and system compromise when attackers can manipulate concurrent policy operations to trigger the race condition. The vulnerability affects systems running Linux kernels with IPsec functionality enabled where multiple threads are processing security policy messages simultaneously.
The fix implements proper lock ordering by calling __xfrm_policy_inexact_prune_bin() directly while still holding xfrm_policy_lock, eliminating the window where freed memory could be accessed. This approach prevents the race condition by ensuring that all cleanup operations occur within the locked context before releasing the lock entirely. The removal of the unused wrapper function xfrm_policy_inexact_prune_bin() further simplifies the code path and reduces potential attack surface. This fix aligns with secure coding practices for concurrent systems and follows the principle of minimizing lock hold times while ensuring proper memory management synchronization, addressing both the immediate race condition and preventing similar issues in related code paths.