HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-53175Published Modified CNA Linux

CVE-2026-53175: inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush

In the Linux kernel, the following vulnerability has been resolved: inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush On netns teardown, fqdir_pre_exit() walks the fqdir rhashtable and flushes every fragment queue that is not yet complete using inet_frag_queue_flush(). That helper frees all the skbs queued on the fragment queue but does not set INET_FRAG_COMPLETE, and leaves q->fragments_tail and q->last_run_head pointing at the freed skbs. The queue itself stays in the rhashtable. fqdir_pre_exit() first lowers high_thresh to 0 to stop new queue lookups, but it cannot stop a fragment that already obtained the queue through inet_frag_find() earlier and stalled just before taking the queue lock. Once that fragment resumes after the flush and takes the queue lock, it passes the INET_FRAG_COMPLETE check and then dereferences the freed fragments_tail. inet_frag_queue_insert() reads FRAG_CB() and ->len of that pointer and, on the append path, writes ->next_frag, causing a slab use-after-free. IPv6, nf_conntrack_reasm6 and 6lowpan reassembly share the same flush path and are affected as well. Reset rb_fragments, fragments_tail and last_run_head in inet_frag_queue_flush() so a flushed queue no longer points at the freed skbs. A fragment that resumes after the flush and takes the queue lock then finds an empty queue and starts a new run instead of dereferencing the freed fragments_tail. ip_frag_reinit() already performed this reset after its own flush, so drop the now duplicate code there.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the Linux kernel's IP fragment reassembly code, specifically in the fqdir_pre_exit() flush path used during network namespace teardown. The flaw is reachable over the network without any authentication and affects IPv4, IPv6, netfilter conntrack reassembly, and 6lowpan reassembly. Successful exploitation gives an attacker the ability to read from and write to already-freed kernel memory, enabling arbitrary code execution, data disclosure, or a full system crash. Patched kernel versions are available, and a patched-image rebuild is available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-53175 is available across every HarborGuard environment. The CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that carry an affected Linux kernel version.

Available
Triage

Triage is available with a CVSS v3.1 base score of 9.8 (Critical), weighted further by each customer organization's compliance policy and asset sensitivity. Findings are routed automatically to the inbox configured for the relevant team within each customer org.

Available
Patch

A patched-image rebuild targeting the fixed kernel commits (including the 6.12.94 stable release) becomes available on HarborGuard once the upstream fix is confirmed for the image's base layer. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for Critical-severity issues in environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable reassembly path is triggered by crafted fragmented IP packets sent over the network, so the attacker must be able to reach the target host's network stack remotely.

  • AuthenticationNot required

    No account or credential of any kind is needed; sending raw fragmented packets to the host is sufficient to reach the vulnerable code path.

  • Victim interactionNot required

    The vulnerability is triggered entirely by incoming network traffic and requires no action from any user on the target system.

  • Attack complexityDetail

    Attack complexity is rated Low, meaning the exploit is reliable and does not depend on race-condition timing, specific memory layouts, or other environmental preconditions that the attacker cannot control.

Blast Radius

  • An attacker can read freed kernel slab memory, exposing kernel pointers, cryptographic material, or sensitive data from other processes or network namespaces.
  • An attacker can write to freed kernel slab memory via the inet_frag_queue_insert() append path, enabling controlled corruption of kernel heap structures.
  • Heap corruption can be leveraged to escalate to arbitrary kernel code execution, giving full control over the host.
  • If code execution is not achieved, the memory corruption reliably crashes the kernel, taking down all workloads on the affected node.

How HarborGuard Handles This

Available on HarborGuard: the scanner matches container images against CVE-2026-53175 by inspecting the kernel version embedded in or depended on by each image layer, covering both upstream base images and internally built images. For images confirmed to carry an affected kernel version, a rebuild targeting the patched stable release (6.12.94) or the corresponding upstream commits becomes available immediately upon fix publication. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, executes the configured regression tests, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding is surfaced as a Critical-priority item in the HarborGuard dashboard for manual action. Because this flaw is in the network namespace teardown path, teams that cannot patch immediately should consider network policy controls that restrict which external sources can send fragmented IP traffic to vulnerable nodes, reducing the exposed attack surface while a patched rebuild is prepared.

See how HarborGuard automates this

Fix available

0010c3313a4d178dc2d3ce958d2e5cb055e2864c10e823ca0e7391630784ae7dd0981b7ad170a93d932594b09854970d7ba83eb2dc8c69a2edd158c8e6.12.946.18.367.0.137.189b909e9704587bfecc1aab1d37e98faee03b9f9c22599cc90e1cd5f8129c8670bd68a02ff7177b4
Affected packages
  • Linux / Linux
    < 0e823ca0e7391630784ae7dd0981b7ad170a93d9 (from 22ee4010866da81aeee08e1ea3fddbe418feb212) · < c22599cc90e1cd5f8129c8670bd68a02ff7177b4 (from 543555954b1ee8d1903a7020324efb41b0c97428) · < 89b909e9704587bfecc1aab1d37e98faee03b9f9 (from c70df25214ac9b32b53e18e6ae3b8f073ffa6903) · < 010c3313a4d178dc2d3ce958d2e5cb055e2864c1 (from 006a5035b495dec008805df249f92c22c89c3d2e) · < 32594b09854970d7ba83eb2dc8c69a2edd158c8e (from 006a5035b495dec008805df249f92c22c89c3d2e) · < 6.12.94 (from 6.12.93)
  • Linux / Linux
    6.19
    Fixed in 0, 6.12.94, 6.18.36, 7.0.13, 7.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References