CVE-2026-53275 Overview
CVE-2026-53275 is a use-after-free vulnerability in the Linux kernel's IPv6 multicast subsystem. The flaw resides in the Multicast Listener Discovery (MLD) query processing code in net/ipv6/mcast.c. When the kernel parses an MLD query, it retrieves a pointer to the multicast group address from the socket buffer (skb). Subsequent calls to pskb_may_pull() can reallocate the skb header, but the original pointer is dereferenced without being reloaded. The condition was confirmed by KASAN, which reported a slab-use-after-free read in __mld_query_work at net/ipv6/mcast.c:1512.
Critical Impact
Remote attackers on adjacent networks can trigger a kernel use-after-free by sending crafted MLD queries, potentially leading to denial of service or memory corruption in __mld_query_work.
Affected Products
- Linux kernel (mainline) — IPv6 multicast (net/ipv6/mcast.c) subsystem
- Stable kernel branches referenced in the upstream fix commits
- Linux distributions shipping kernels prior to the fix
Discovery Timeline
- 2026-06-25 - CVE-2026-53275 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-53275
Vulnerability Analysis
The vulnerability is a use-after-free [CWE-416] in the Linux IPv6 MLD query handler. During initial parsing of an MLD packet, the kernel saves a pointer that references the multicast group address inside the skb linear buffer. The handler then invokes pskb_may_pull() to ensure additional bytes are linearized, which can call pskb_expand_head() and __pskb_pull_tail(). These functions may reallocate the skb head, freeing the original buffer through kfree(). The previously cached pointer becomes dangling and is later dereferenced in __mld_query_work, producing a read of freed slab memory.
Root Cause
The root cause is a stale pointer kept across a buffer-reallocation boundary. The MLD query handler assumed the skb linear data region remained stable after pskb_may_pull() calls. The upstream fix copies the multicast group address into a local variable at initial parsing instead of retaining a pointer into the skb. This removes the dependency on the buffer remaining mapped at the same address.
Attack Vector
MLD queries are received on the local link as ICMPv6 messages. An attacker with the ability to send IPv6 multicast traffic to the target — typically a host on the same Layer 2 segment — can craft queries sized to force pskb_may_pull() to reallocate the skb head. The deferred work item mld_query_work then dereferences the freed memory. Impact ranges from kernel panic to potential exploitation primitives where freed slab memory can be groomed by an attacker. See the upstream commits for the exact patch logic, including commit 087dbacf and commit 53baa63a.
// No verified exploit code is available. The vulnerable flow follows this pattern:
// 1. mld_query parses skb and stores ptr = &skb->data[offset_of_mca]
// 2. pskb_may_pull(skb, ...) -> pskb_expand_head() -> kfree(old head)
// 3. __mld_query_work() dereferences ptr (now freed) -> KASAN UAF
// Fix: copy the multicast group address by value at parse time.
Detection Methods for CVE-2026-53275
Indicators of Compromise
- KASAN reports containing slab-use-after-free in __mld_query_work in net/ipv6/mcast.c around line 1512
- Kernel oops or panic traces referencing mld_query_work, process_one_work, and pskb_expand_head
- Unexpected reboots or workqueue crashes on hosts processing IPv6 multicast traffic
Detection Strategies
- Monitor kernel ring buffer (dmesg, journalctl -k) for KASAN slab-use-after-free signatures referencing the mld workqueue
- Inspect IPv6 ICMPv6 type 130 (MLD Query) traffic for abnormally sized or malformed queries on local segments
- Correlate host crashes with bursts of inbound multicast traffic using flow telemetry
Monitoring Recommendations
- Centralize kernel logs from Linux endpoints and servers into a SIEM and alert on KASAN, BUG:, and mld_query_work strings
- Track kernel version inventory to identify hosts running unpatched stable branches
- Baseline IPv6 multicast traffic volumes and alert on anomalous spikes from single sources
How to Mitigate CVE-2026-53275
Immediate Actions Required
- Update the Linux kernel to a version that includes the upstream fix for the MLD query use-after-free
- Apply the distribution vendor kernel update once published and reboot affected systems
- For exposed multi-tenant or bare-metal hosts, prioritize patching nodes that share Layer 2 segments with untrusted workloads
Patch Information
The fix replaces the stored pointer with a copied multicast group address parsed before any pskb_may_pull() reallocation. Patch commits include 087dbacf, 1354271c, 2a613bf4, 4203806f, 53baa63a, 791c91dc, and b2eb8886.
Workarounds
- Restrict IPv6 multicast traffic at the network edge and on host firewalls where MLD is not required
- Disable IPv6 on hosts that do not require it, using sysctl controls described below
- Apply Layer 2 controls such as MLD snooping with trust boundaries to limit query origins
# Drop inbound MLD queries on untrusted interfaces (ICMPv6 type 130)
ip6tables -A INPUT -i eth0 -p icmpv6 --icmpv6-type 130 -j DROP
# Disable IPv6 where not needed (persistent)
echo 'net.ipv6.conf.all.disable_ipv6 = 1' | sudo tee /etc/sysctl.d/99-disable-ipv6.conf
echo 'net.ipv6.conf.default.disable_ipv6 = 1' | sudo tee -a /etc/sysctl.d/99-disable-ipv6.conf
sudo sysctl --system
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

