CVE-2026-53264 Overview
CVE-2026-53264 is a use-after-free race condition in the Linux kernel's net/sched subsystem, specifically in act_api action lifecycle management. The flaw occurs when NEWTFILTER and DELFILTER operations execute concurrently against an associated traffic control action. One CPU can hold a stale pointer to a tc_action object that another CPU frees immediately, leading to memory corruption. The maintainers resolved the issue by reintroducing Read-Copy-Update (RCU) deferred freeing via call_rcu() and kfree_rcu(), ensuring the object is not released until after the RCU grace period.
Critical Impact
Concurrent tc filter operations can trigger a kernel use-after-free, enabling local denial of service and potential privilege escalation on unpatched Linux systems.
Affected Products
- Linux kernel — net/sched subsystem (act_api)
- Stable kernel branches referenced by the upstream fix commits
- Distributions shipping unpatched mainline or stable kernels
Discovery Timeline
- 2026-06-25 - CVE-2026-53264 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-53264
Vulnerability Analysis
The vulnerability is a [CWE-416] use-after-free triggered by a race in the traffic control (tc) action lifecycle. The act_api module manages tc_action structures via an IDR (ID Radix tree) protected by a mutex and RCU. When NEWTFILTER runs on one CPU while DELFILTER runs on another, the delete path can drop the refcount to zero, remove the action from the IDR, and call kfree() immediately. The concurrent lookup path can still hold a reference returned by idr_find() and call refcount_inc_not_zero() on freed memory.
Root Cause
The regression originated in commit d7fb60b9cafb ("net_sched: get rid of tcfa_rcu"), which removed RCU-deferred freeing for tc_action objects. Without rcu_head deferral, tcf_action_cleanup() released memory synchronously inside the delete path. A lookup thread holding rcu_read_lock() could obtain a pointer from idr_find() before the remove, then dereference it after the delete path completed kfree(). The IDR provides RCU-protected lookups, but freeing was not deferred to match.
Attack Vector
A local user with the ability to create and delete tc filters and actions can race NEWTFILTER and DELFILTER netlink operations to trigger the use-after-free. Exploitation typically requires CAP_NET_ADMIN within a network namespace. On distributions that grant unprivileged user namespaces, an unprivileged local user can obtain the capability inside a new namespace and reach the vulnerable code path. Successful exploitation can corrupt kernel memory, leading to denial of service or local privilege escalation.
No public proof-of-concept code is available. The vulnerability mechanism is described in the upstream commit messages; see the Kernel Git Commit 91d105d for the canonical patch description.
Detection Methods for CVE-2026-53264
Indicators of Compromise
- Kernel oops or panic messages referencing tcf_action_cleanup, refcount_inc_not_zero, or act_api in dmesg logs
- KASAN reports flagging use-after-free in net/sched/act_api.c on systems with KASAN enabled
- Unexpected process crashes or kernel hangs correlated with tc filter manipulation
Detection Strategies
- Audit kernel versions against the fixed stable releases referenced in the upstream commits to identify exposed hosts
- Monitor auditd for netlink operations on NEWTFILTER and DELFILTER from non-administrative users or container workloads
- Enable KASAN in test environments to catch use-after-free conditions in the act_api code path during fuzzing or QA
Monitoring Recommendations
- Forward kernel ring buffer logs to a centralized log platform and alert on BUG:, KASAN:, and general protection fault strings
- Track creation of user namespaces by unprivileged users, particularly followed by tc netlink activity
- Baseline normal tc administrative activity and alert on high-frequency RTM_NEWTFILTER / RTM_DELTFILTER sequences from a single process
How to Mitigate CVE-2026-53264
Immediate Actions Required
- Apply the upstream stable kernel patches referenced in the NVD entry and reboot affected hosts
- Inventory Linux systems running affected net/sched code and prioritize multi-tenant, container, and shared hosts
- Restrict CAP_NET_ADMIN and disable unprivileged user namespaces on systems that do not require them
Patch Information
The fix reintroduces struct rcu_head in tc_action and defers the final kfree() via call_rcu() / kfree_rcu() after the RCU grace period. Apply one of the upstream commits matching your stable branch: Kernel Git Commit 18af5d2, Kernel Git Commit 1f1b98f, Kernel Git Commit 5057e1a, Kernel Git Commit 5dd51e0, Kernel Git Commit 8b136f1, Kernel Git Commit 91d105d, Kernel Git Commit 98b2e40, and Kernel Git Commit b60e939. Consult your distribution's security tracker for backported package versions.
Workarounds
- Disable unprivileged user namespaces via sysctl -w kernel.unprivileged_userns_clone=0 where the distribution supports it
- Restrict netlink access using seccomp or container runtime profiles to block tc operations from untrusted workloads
- Drop CAP_NET_ADMIN from container and service definitions that do not legitimately require traffic control configuration
# Configuration example
# Disable unprivileged user namespace creation (Debian/Ubuntu)
sudo sysctl -w kernel.unprivileged_userns_clone=0
echo 'kernel.unprivileged_userns_clone=0' | sudo tee /etc/sysctl.d/99-cve-2026-53264.conf
# Verify running kernel version against your distribution's patched release
uname -r
# Audit containers for CAP_NET_ADMIN
docker ps --quiet | xargs -I {} docker inspect --format '{{.Name}} {{.HostConfig.CapAdd}}' {}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

