Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53260

CVE-2026-53260: Linux Kernel Use-After-Free Vulnerability

CVE-2026-53260 is a use-after-free vulnerability in the Linux kernel TCP request socket handling that causes reference count underflow. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-53260 Overview

CVE-2026-53260 is a race condition vulnerability in the Linux kernel's TCP stack, specifically within the reqsk_queue_hash_req() function in net/ipv4/inet_connection_sock.c. The flaw causes a refcount underflow on reqsk->rsk_refcnt, leading to a use-after-free condition detected by syzbot fuzzing. The issue manifests exclusively on kernels built with PREEMPT_RT, where a preemption window between mod_timer() and refcount_set() allows the request socket timer to fire before reference counts are properly initialized. The vulnerability has been resolved upstream by wrapping the affected sequence with preempt_disable_nested() and preempt_enable_nested().

Critical Impact

A use-after-free condition in the kernel TCP request socket handling path can trigger refcount underflow warnings and potential memory corruption on PREEMPT_RT systems handling concurrent TCP connection requests.

Affected Products

  • Linux kernel builds with CONFIG_PREEMPT_RT enabled
  • TCP/IPv4 subsystem (net/ipv4/inet_connection_sock.c)
  • Systems handling concurrent inbound TCP SYN traffic on real-time kernels

Discovery Timeline

  • 2026-06-25 - CVE-2026-53260 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-53260

Vulnerability Analysis

The vulnerability resides in the TCP request socket queuing logic invoked when the kernel accepts an incoming SYN and creates a request socket (reqsk) entry. The function reqsk_queue_hash_req() arms a retransmission timer via mod_timer() and then initializes the refcount with refcount_set(). On PREEMPT_RT kernels, the thread can be preempted between these two operations.

If the request socket timer fires during this preemption window, reqsk_timer_handler() invokes __inet_csk_reqsk_queue_drop(), which removes the reqsk from the established hash (ehash) and calls reqsk_put(). A second reqsk_put() follows in the timer handler itself. Because the refcount was never set to the expected value covering both the ehash reference and the timer reference, both decrements drive the counter into underflow.

The resulting refcount_t: underflow; use-after-free warning indicates the request socket structure can be freed while still referenced, producing a classic use-after-free scenario in kernel network code [CWE-416, CWE-362].

Root Cause

The root cause is a missing preemption boundary around a non-atomic initialization sequence. The original code performed mod_timer() followed by refcount_set() without disabling preemption. On PREEMPT_RT, where spinlocks are mutexes and preemption is more aggressive, the scheduler can interrupt this sequence and allow the timer to execute before the refcount reflects all outstanding references.

Attack Vector

The vulnerability requires inbound TCP traffic that triggers request socket creation followed by listener close timing. Triggering the precise preemption window is non-deterministic and requires PREEMPT_RT to be enabled. The lookup path tolerates entries with sk_refcnt of zero by skipping them, but inet_ehash_insert() enforces ordering through standard locking. The vulnerability manifests as a kernel warning and use-after-free condition rather than a directly weaponizable remote exploit primitive.

The fix wraps the mod_timer() and refcount_set() pair with preempt_disable_nested() and preempt_enable_nested(), ensuring the timer cannot execute before the refcount is established. The inet_ehash_insert() call remains outside the preemption-disabled region because it holds a sleepable lock on PREEMPT_RT.

Detection Methods for CVE-2026-53260

Indicators of Compromise

  • Kernel log entries containing refcount_t: underflow; use-after-free originating from refcount_warn_saturate+0xb2/0x110 in lib/refcount.c:28
  • Stack traces referencing reqsk_put, __inet_csk_reqsk_queue_drop, and reqsk_timer_handler in net/ipv4/inet_connection_sock.c
  • Unexpected TCP connection failures or listener instability on PREEMPT_RT kernels under SYN load

Detection Strategies

  • Monitor dmesg and journalctl -k for WARNING entries from lib/refcount.c accompanied by TCP request socket call traces
  • Audit running kernel configuration for CONFIG_PREEMPT_RT=y combined with vulnerable kernel versions predating the fix commits b183215ff714 and e10902df2448
  • Correlate kernel taint flags (Tainted: G L) with TCP subsystem warnings in centralized logging

Monitoring Recommendations

  • Forward kernel ring buffer logs to a SIEM or data lake and create alerts for refcount underflow warnings tied to TCP code paths
  • Track kernel version inventory across Linux fleets to identify hosts running PREEMPT_RT builds requiring patching
  • Baseline TCP listener health metrics to detect anomalous request socket drops that may correlate with the race condition

How to Mitigate CVE-2026-53260

Immediate Actions Required

  • Apply the upstream stable kernel updates containing commits b183215ff714efb747d9d5a429322ba6404b5401 and e10902df24488ca722303133acfc82490f7d59ad to all affected systems
  • Prioritize patching on hosts where CONFIG_PREEMPT_RT is enabled, including real-time workloads, telecom NFV nodes, and industrial control systems
  • Inventory custom-built kernels to confirm whether the vulnerable reqsk_queue_hash_req() code path is present

Patch Information

The fix introduces preempt_disable_nested() and preempt_enable_nested() around mod_timer() and refcount_set() in reqsk_queue_hash_req(), eliminating the preemption window that allowed the timer to fire before the refcount was established. Patch details are available in the Kernel Git Commit Summary and the Kernel Git Commit Analysis.

Workarounds

  • Rebuild affected kernels without CONFIG_PREEMPT_RT if real-time scheduling is not required for the workload
  • Restrict exposure of TCP listeners on affected hosts to trusted networks until patches are deployed
  • Apply rate limiting on inbound SYN traffic to reduce the frequency at which the race condition can be triggered

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.