CVE-2026-53260: tcp: Add preempt_{disable,enable}_nested() in reqsk_queue_hash_req().
In the Linux kernel, the following vulnerability has been resolved: tcp: Add preempt_{disable,enable}_nested() in reqsk_queue_hash_req(). syzbot reported a weird reqsk->rsk_refcnt underflow in __inet_csk_reqsk_queue_drop(). The captured reqsk_put() in __inet_csk_reqsk_queue_drop() is called only when it successfully removes reqsk from ehash. Moreover, reqsk_timer_handler() calls another reqsk_put() after that. This indicates that the reqsk was missing both refcnts for ehash and the timer itself. Since all the syzbot reports had PREEMPT_RT enabled, the only possible scenario is that reqsk_queue_hash_req() is preempted after mod_timer() and before refcount_set(), and then the timer triggered after 1s aborts the reqsk due to its listener's close(). Let's wrap mod_timer() and refcount_set() with preempt_disable_nested() and preempt_enable_nested(). Note that inet_ehash_insert() holds the normal spin_lock() (mutex in PREEMPT_RT), so it must be called outside of preempt_disable_nested(), but this is fine. The lookup path just ignores 0 sk_refcnt entries in ehash and tries to create another reqsk, but this will fail at inet_ehash_insert(). [0]: refcount_t: underflow; use-after-free. WARNING: lib/refcount.c:28 at refcount_warn_saturate+0xb2/0x110 lib/refcount.c:28, CPU#0: ktimers/0/16 Modules linked in: CPU: 0 UID: 0 PID: 16 Comm: ktimers/0 Tainted: G L syzkaller #0 PREEMPT_{RT,(full)} Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026 RIP: 0010:refcount_warn_saturate+0xb2/0x110 lib/refcount.c:28 Code: e4 7d d1 0a 67 48 0f b9 3a eb 4a e8 38 3d 23 fd 48 8d 3d e1 7d d1 0a 67 48 0f b9 3a eb 37 e8 25 3d 23 fd 48 8d 3d de 7d d1 0a <67> 48 0f b9 3a eb 24 e8 12 3d 23 fd 48 8d 3d db 7d d1 0a 67 48 0f RSP: 0000:ffffc90000157948 EFLAGS: 00010246 RAX: ffffffff84a1301b RBX: 0000000000000003 RCX: ffff88801ca98000 RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffffffff8f72ae00 RBP: ffffffff99ae3b01 R08: ffff88801ca98000 R09: 0000000000000005 R10: 0000000000000100 R11: 0000000000000004 R12: ffff8880425ef568 R13: ffff8880425ef4f8 R14: ffff8880425ef578 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff888126386000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7b46710e9c CR3: 000000000dbb6000 CR4: 00000000003526f0 Call Trace: <TASK> __refcount_sub_and_test include/linux/refcount.h:400 [inline] __refcount_dec_and_test include/linux/refcount.h:432 [inline] refcount_dec_and_test include/linux/refcount.h:450 [inline] reqsk_put include/net/request_sock.h:136 [inline] __inet_csk_reqsk_queue_drop+0x3ce/0x440 net/ipv4/inet_connection_sock.c:1007 reqsk_timer_handler+0x651/0xdf0 net/ipv4/inet_connection_sock.c:1137 call_timer_fn+0x192/0x5e0 kernel/time/timer.c:1748 expire_timers kernel/time/timer.c:1799 [inline] __run_timers kernel/time/timer.c:2374 [inline] __run_timer_base+0x6a3/0x9f0 kernel/time/timer.c:2386 run_timer_base kernel/time/timer.c:2395 [inline] run_timer_softirq+0x67/0x170 kernel/time/timer.c:2403 handle_softirqs+0x1de/0x6d0 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] run_ktimerd+0x69/0x100 kernel/softirq.c:1151 smpboot_thread_fn+0x541/0xa50 kernel/smpboot.c:160 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK>
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- 0
- Affected Products
- 2
HarborGuard Analysis
Synopsis
A race-condition vulnerability in the Linux kernel's TCP request-socket handling (reqsk_queue_hash_req) allows a remote unauthenticated attacker to trigger a reference-count underflow leading to use-after-free memory corruption. The flaw is reachable over the network with no authentication required, and exploitation grants the attacker full read, write, and availability impact on the host. Patched-image rebuilds at the fix versions (0, 7.0.13, 7.1, and the upstream commit identifiers) are available on HarborGuard for environments running an affected kernel version.
HarborGuard Coverage
Detection for CVE-2026-53260 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that carry an affected Linux kernel version.
AvailableHarborGuard scores this CVE at 9.8 CRITICAL per the CVSS v3.1 vector, and triage capability is available to weight that score against each environment's compliance policy and route findings to the appropriate team inbox within each customer organization.
AvailableA patched-image rebuild pinned to the fix versions is available on HarborGuard for any image found to carry an affected kernel. For customers who opt into auto-remediation, HarborGuard is capable of triggering a rebuild, running a regression test suite, and opening a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The vulnerable code path is reachable over the network; an attacker must be able to send TCP connection requests to the target service.
- AuthenticationNot required
No credentials or session token are needed; the attacker sends unauthenticated TCP SYN packets to trigger the race.
- Victim interactionNot required
No user action is needed on the target host; the attack is fully remote and passive from the victim's perspective.
- Attack complexityDetail
Attack complexity is rated Low, meaning the race window is exploitable without relying on specific memory layouts or environmental preconditions beyond PREEMPT_RT being active on the kernel.
Blast Radius
- A successful attacker achieves use-after-free memory corruption in kernel space, enabling arbitrary kernel memory reads that expose sensitive data such as credentials, keys, and network state.
- The write impact is High, meaning the attacker can overwrite kernel memory structures to redirect execution or tamper with network connection tables.
- The availability impact is High; the corrupted reference count causes kernel crashes or sustained denial of service, taking down all workloads on the affected host.
- Any container sharing the host kernel, including workloads in other namespaces, is exposed once kernel memory integrity is compromised.
How HarborGuard Handles This
Available on HarborGuard: images carrying a Linux kernel version affected by CVE-2026-53260 are flagged automatically as soon as the CVE is ingested. Because this is a CRITICAL-severity issue with a published fix, patched-image rebuilds at the upstream fix versions are available immediately for matching images. For customers who opt into auto-remediation, HarborGuard is capable of rebuilding the image, executing a regression test run, and opening a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit automatic remediation, HarborGuard surfaces the finding with full CVSS context and fix-version details so engineering teams can act manually. Until a patched kernel image is deployed, compensating controls such as restricting inbound TCP SYN exposure via network policy and isolating affected nodes to a separate network segment are worth considering.
Fix available
- Linux / Linux< b183215ff714efb747d9d5a429322ba6404b5401 (from d2d6422f8bd17c6bb205133e290625a564194496) · < e10902df24488ca722303133acfc82490f7d59ad (from d2d6422f8bd17c6bb205133e290625a564194496)
- Linux / Linux6.12Fixed in 0, 7.0.13, 7.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H