CVE-2026-53262 in Linux
Summary
by MITRE • 06/25/2026
In the Linux kernel, the following vulnerability has been resolved:
l2tp: pppol2tp: hold reference to session in pppol2tp_ioctl()
pppol2tp_ioctl() read sock->sk->sk_user_data directly without any locks or reference counting. If a controllable sleep was induced during copy_from_user() (e.g. via a userfaultfd page fault sleep), a concurrent socket close could trigger pppol2tp_session_close() asynchronously. This frees the l2tp_session structure via the l2tp_session_del_work workqueue. Upon resuming, the ioctl thread dereferences the stale session pointer, resulting in a Use-After-Free (UAF).
Fix this by securely fetching the session reference using the RCU-safe, refcounted helper pppol2tp_sock_to_session(sk) on entry. This locks the session's refcount across the sleep. We structured the function to exit via standard err breaks, guaranteeing that l2tp_session_put() is cleanly called on all return paths to drop the reference.
To preserve existing behavior we validate the session and its magic signature only for the specific L2TP commands that require it. This ensures that generic/unknown ioctls called on an unconnected socket still return -ENOIOCTLCMD and correctly fall back to generic handlers (e.g. in sock_do_ioctl()).
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/25/2026
The vulnerability identified in the Linux kernel's l2tp implementation represents a critical use-after-free condition affecting the pppol2tp module. This flaw occurs within the pppol2tp_ioctl() function where direct access to sock->sk->sk_user_data is performed without proper locking mechanisms or reference counting protocols. The underlying issue manifests when a controllable sleep is introduced during copy_from_user() operations, typically through userfaultfd page fault handling, creating a race condition window between the ioctl execution and potential socket closure.
The operational impact of this vulnerability stems from the asynchronous nature of concurrent socket close operations that can occur while the ioctl thread is suspended. When pppol2tp_session_close() executes concurrently, it frees the l2tp_session structure through the l2tp_session_del_work workqueue mechanism. Upon resumption of the ioctl thread, the previously freed session pointer is dereferenced leading to a use-after-free condition that can potentially be exploited for privilege escalation or system compromise.
This vulnerability directly maps to CWE-416, which specifically addresses Use-After-Free conditions in software implementations. The flaw also aligns with ATT&CK technique T1068, targeting local privilege escalation through kernel vulnerabilities, and demonstrates characteristics of improper locking mechanisms that enable race conditions in concurrent systems. The fix implements a robust reference counting approach using the RCU-safe helper function pppol2tp_sock_to_session(sk) which properly locks the session's reference count across the potentially sleep-inducing operations.
The mitigation strategy employs defensive programming principles by ensuring proper reference management throughout the ioctl execution path. The solution guarantees that l2tp_session_put() is called on all return paths through structured error handling with standard break statements, preventing reference leaks while maintaining the integrity of the session lifecycle management. This approach specifically addresses the race condition by securing the session reference before any potentially blocking operations occur.
The implementation maintains backward compatibility by selectively validating session references and magic signatures only for L2TP-specific commands that require such verification. This selective validation preserves existing behavior for generic or unknown ioctls, ensuring they correctly return -ENOIOCTLCMD and fall back to standard socket ioctl handlers like sock_do_ioctl(). The fix demonstrates adherence to kernel security best practices by implementing proper synchronization mechanisms while minimizing performance impact on legitimate operations.
The vulnerability resolution addresses fundamental issues in kernel memory management and concurrent access control, establishing a precedent for secure reference counting patterns in network protocol implementations. This fix reinforces the importance of proper locking mechanisms and reference counting in kernel space programming, particularly when dealing with potentially asynchronous operations that could introduce race conditions between different kernel subsystems.