<Vulnerability name="CVE-2026-53264">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-06-25T00:00:00</PublicDate>
    <Bugzilla id="2492851" url="https://bugzilla.redhat.com/show_bug.cgi?id=2492851" xml:lang="en:us">
kernel: net/sched: act_api: use RCU with deferred freeing for action lifecycle
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>7.0</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-364</CWE>
    <Details xml:lang="en:us" source="Mitre">
In the Linux kernel, the following vulnerability has been resolved:

net/sched: act_api: use RCU with deferred freeing for action lifecycle

When NEWTFILTER and DELFILTER are run concurrently it is possible to create a
race with an associated action.

Let's illustrate with CPU0 running NEWTFILTER and CPU1 running DELFILTER:

 0: mutex_lock() &lt;-- holds the idr lock
 0: rcu_read_lock()
 0: p = idr_find(idr, index) &lt;-- action p is valid (RCU protects IDR)
 0: mutex_unlock() &lt;-- releases the idr lock
 1: refcount_dec_and_mutex_lock() &lt;-- refcnt 1-&gt;0, mutex held
 1: idr_remove(idr, index) &lt;-- Action removed from IDR
 1: mutex_unlock() &lt;-- mutex released allowing us to delete the action
 1: tcf_action_cleanup(p); kfree(p) &lt;-- Kfrees p immediately, no deferral
 0: refcount_inc_not_zero(&amp;p-&gt;tcfa_refcnt) &lt;-- ouch, UAF p points to freed memory

This patch fixes the race condition between NEWTFILTER and DELFILTER by
adding struct rcu_head to tc_action used in the deferral and introducing a
call_rcu() in the delete path to defer the final kfree().

Note: this is a revert of commit d7fb60b9cafb ("net_sched: get rid of tcfa_rcu")
but also modernization/simplification to directly use kfree_rcu().

Let's illustrate the new restored code path:

 0: rcu_read_lock()
 1: refcount_dec_and_mutex_lock() &lt;-- refcnt 1-&gt;0, mutex held
 1: idr_remove(idr, index)
 1: mutex_unlock()
 1: call_rcu(&amp;p-&gt;tcfa_rcu, tcf_action_rcu_free) &lt;-- defer kfree after grace period
 0: p = idr_find(idr, index)
 0: refcount_inc_not_zero(&amp;p-&gt;tcfa_refcnt) &lt;-- fails, refcnt already 0
 1: rcu_read_unlock() &lt;-- release so freeing can run after grace period

After CPU1 calls idr_remove(), the object is no longer reachable through the IDR.
CPU0's subsequent idr_find() will return NULL, and even if it still held a
stale pointer, the immediate kfree() is now deferred until after the RCU grace
period, so no UAF can occur.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in the Linux kernel's networking scheduler. A race condition, which is a problem that occurs when multiple operations try to access the same resource at the same time, exists when network filter operations are run concurrently. This can lead to a Use-After-Free (UAF) vulnerability, where the system attempts to use memory that has already been released. This could potentially allow an attacker to cause system instability or execute arbitrary code.
    </Details>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:10">
        <ProductName>Red Hat Enterprise Linux 10</ProductName>
        <FixState>Affected</FixState>
        <PackageName>kernel</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:6">
        <ProductName>Red Hat Enterprise Linux 6</ProductName>
        <FixState>Out of support scope</FixState>
        <PackageName>kernel</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:7">
        <ProductName>Red Hat Enterprise Linux 7</ProductName>
        <FixState>Affected</FixState>
        <PackageName>kernel</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:7">
        <ProductName>Red Hat Enterprise Linux 7</ProductName>
        <FixState>Affected</FixState>
        <PackageName>kernel-rt</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Affected</FixState>
        <PackageName>kernel</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Affected</FixState>
        <PackageName>kernel-rt</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <FixState>Affected</FixState>
        <PackageName>kernel</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <FixState>Affected</FixState>
        <PackageName>kernel-rt</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-53264
https://nvd.nist.gov/vuln/detail/CVE-2026-53264
https://lore.kernel.org/linux-cve-announce/2026062517-CVE-2026-53264-081f@gregkh/T
    </References>
</Vulnerability>