Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53275

CVE-2026-53275: Linux Kernel Use-After-Free Vulnerability

CVE-2026-53275 is a use-after-free flaw in the Linux kernel's IPv6 multicast listener discovery that occurs when processing MLD queries. This post covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-53275 Overview

CVE-2026-53275 is a use-after-free vulnerability in the Linux kernel's IPv6 multicast subsystem. The flaw resides in the Multicast Listener Discovery (MLD) query processing code in net/ipv6/mcast.c. When the kernel parses an MLD query, it retrieves a pointer to the multicast group address from the socket buffer (skb). Subsequent calls to pskb_may_pull() can reallocate the skb header, but the original pointer is dereferenced without being reloaded. The condition was confirmed by KASAN, which reported a slab-use-after-free read in __mld_query_work at net/ipv6/mcast.c:1512.

Critical Impact

Remote attackers on adjacent networks can trigger a kernel use-after-free by sending crafted MLD queries, potentially leading to denial of service or memory corruption in __mld_query_work.

Affected Products

  • Linux kernel (mainline) — IPv6 multicast (net/ipv6/mcast.c) subsystem
  • Stable kernel branches referenced in the upstream fix commits
  • Linux distributions shipping kernels prior to the fix

Discovery Timeline

  • 2026-06-25 - CVE-2026-53275 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-53275

Vulnerability Analysis

The vulnerability is a use-after-free [CWE-416] in the Linux IPv6 MLD query handler. During initial parsing of an MLD packet, the kernel saves a pointer that references the multicast group address inside the skb linear buffer. The handler then invokes pskb_may_pull() to ensure additional bytes are linearized, which can call pskb_expand_head() and __pskb_pull_tail(). These functions may reallocate the skb head, freeing the original buffer through kfree(). The previously cached pointer becomes dangling and is later dereferenced in __mld_query_work, producing a read of freed slab memory.

Root Cause

The root cause is a stale pointer kept across a buffer-reallocation boundary. The MLD query handler assumed the skb linear data region remained stable after pskb_may_pull() calls. The upstream fix copies the multicast group address into a local variable at initial parsing instead of retaining a pointer into the skb. This removes the dependency on the buffer remaining mapped at the same address.

Attack Vector

MLD queries are received on the local link as ICMPv6 messages. An attacker with the ability to send IPv6 multicast traffic to the target — typically a host on the same Layer 2 segment — can craft queries sized to force pskb_may_pull() to reallocate the skb head. The deferred work item mld_query_work then dereferences the freed memory. Impact ranges from kernel panic to potential exploitation primitives where freed slab memory can be groomed by an attacker. See the upstream commits for the exact patch logic, including commit 087dbacf and commit 53baa63a.

// No verified exploit code is available. The vulnerable flow follows this pattern:
// 1. mld_query parses skb and stores ptr = &skb->data[offset_of_mca]
// 2. pskb_may_pull(skb, ...) -> pskb_expand_head() -> kfree(old head)
// 3. __mld_query_work() dereferences ptr (now freed) -> KASAN UAF
// Fix: copy the multicast group address by value at parse time.

Detection Methods for CVE-2026-53275

Indicators of Compromise

  • KASAN reports containing slab-use-after-free in __mld_query_work in net/ipv6/mcast.c around line 1512
  • Kernel oops or panic traces referencing mld_query_work, process_one_work, and pskb_expand_head
  • Unexpected reboots or workqueue crashes on hosts processing IPv6 multicast traffic

Detection Strategies

  • Monitor kernel ring buffer (dmesg, journalctl -k) for KASAN slab-use-after-free signatures referencing the mld workqueue
  • Inspect IPv6 ICMPv6 type 130 (MLD Query) traffic for abnormally sized or malformed queries on local segments
  • Correlate host crashes with bursts of inbound multicast traffic using flow telemetry

Monitoring Recommendations

  • Centralize kernel logs from Linux endpoints and servers into a SIEM and alert on KASAN, BUG:, and mld_query_work strings
  • Track kernel version inventory to identify hosts running unpatched stable branches
  • Baseline IPv6 multicast traffic volumes and alert on anomalous spikes from single sources

How to Mitigate CVE-2026-53275

Immediate Actions Required

  • Update the Linux kernel to a version that includes the upstream fix for the MLD query use-after-free
  • Apply the distribution vendor kernel update once published and reboot affected systems
  • For exposed multi-tenant or bare-metal hosts, prioritize patching nodes that share Layer 2 segments with untrusted workloads

Patch Information

The fix replaces the stored pointer with a copied multicast group address parsed before any pskb_may_pull() reallocation. Patch commits include 087dbacf, 1354271c, 2a613bf4, 4203806f, 53baa63a, 791c91dc, and b2eb8886.

Workarounds

  • Restrict IPv6 multicast traffic at the network edge and on host firewalls where MLD is not required
  • Disable IPv6 on hosts that do not require it, using sysctl controls described below
  • Apply Layer 2 controls such as MLD snooping with trust boundaries to limit query origins
bash
# Drop inbound MLD queries on untrusted interfaces (ICMPv6 type 130)
ip6tables -A INPUT -i eth0 -p icmpv6 --icmpv6-type 130 -j DROP

# Disable IPv6 where not needed (persistent)
echo 'net.ipv6.conf.all.disable_ipv6 = 1' | sudo tee /etc/sysctl.d/99-disable-ipv6.conf
echo 'net.ipv6.conf.default.disable_ipv6 = 1' | sudo tee -a /etc/sysctl.d/99-disable-ipv6.conf
sudo sysctl --system

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.