{"id":"CVE-2026-53259","summary":"ipv6: anycast: insert aca into global hash under idev-\u003elock","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: anycast: insert aca into global hash under idev-\u003elock\n\nsyzbot reported a splat [1]: a slab-use-after-free in\nipv6_chk_acast_addr(), which walks the global inet6_acaddr_lst[] hash\nunder RCU and dereferences a struct ifacaddr6 that has already been\nfreed while still linked in the hash, so a later reader walks into a\ndangling node.\n\nIn __ipv6_dev_ac_inc() the aca is allocated with refcount 1, then\naca_get() bumps it to 2 to keep it alive across the unlocked region.\nIt is published to idev-\u003eac_list under idev-\u003elock, but\nipv6_add_acaddr_hash() runs after write_unlock_bh(). A concurrent\nteardown (ipv6_ac_destroy_dev() from addrconf_ifdown(), under RTNL)\ncan slip into that window:\n\n CPU0 __ipv6_dev_ac_inc CPU1 ipv6_ac_destroy_dev (RTNL)\n ------------------------------ ------------------------------------\n aca_alloc() refcnt 1\n aca_get() refcnt 2\n write_lock_bh(idev-\u003elock)\n add aca to ac_list\n write_unlock_bh(idev-\u003elock)\n write_lock_bh(idev-\u003elock)\n pull aca off ac_list\n write_unlock_bh(idev-\u003elock)\n ipv6_del_acaddr_hash(aca)\n hlist_del_init_rcu() is a no-op,\n aca is not in the hash yet\n aca_put() refcnt 2-\u003e1\n ipv6_add_acaddr_hash(aca)\n aca now inserted into the hash\n aca_put() refcnt 1-\u003e0\n call_rcu(aca_free_rcu) -\u003e kfree(aca)\n\nThe hash removal becomes a no-op because the insertion has not\nhappened yet, so once CPU0 inserts and drops the last reference, the\naca is freed while still linked in inet6_acaddr_lst[], and readers\ndereference freed memory after the slab slot is reused.\n\nThis window opened once RTNL stopped serializing the join path against\ndevice teardown. Move ipv6_add_acaddr_hash() inside the idev-\u003elock\nsection so the ac_list and hash insertions are atomic with respect to\nteardown: a racing remover now either misses the aca entirely or finds\nit in both lists.\n\nacaddr_hash_lock is now nested under idev-\u003elock, which is acquired in\nsoftirq context, so switch all acaddr_hash_lock sites to spin_lock_bh()\nto avoid the irq lock inversion reported in [2].\n\n[1] https://syzkaller.appspot.com/bug?extid=a01df04303c131efbf3a\n[2] https://lore.kernel.org/netdev/6a194ef7.ba3b1513.1890b4.0000.GAE@google.com/","modified":"2026-06-27T12:02:24.728792508Z","published":"2026-06-25T08:39:48.571Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53259.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/15be7e9fdbff831fb3e89b83cc337a4f85ad3310"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3a967c498baa976b11d4800dda224c507416e97c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f723ccaff2fb72b71ae8a9fd283f0dee4d9ae7a3"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53259.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53259"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"eb1ac9ff6c4a5720b1a1476233be374c5dc44bff"},{"fixed":"15be7e9fdbff831fb3e89b83cc337a4f85ad3310"},{"fixed":"3a967c498baa976b11d4800dda224c507416e97c"},{"fixed":"f723ccaff2fb72b71ae8a9fd283f0dee4d9ae7a3"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-53259.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.17.0"},{"fixed":"6.18.36"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.13"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-53259.json"}}],"schema_version":"1.7.5"}