Home/CVE/In the Linux kernel, the following vulnerability has been resolved: xfrm: policy: fix use-after-free on inexact bin in
CVE
↯ PDF report

CVE-2026-53239

In the Linux kernel, the following vulnerability has been resolved: xfrm: policy: fix use-after-free on inexact bin in

In the Linux kernel, the following vulnerability has been resolved: xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx() Fix the race by pruning the bin while still holding xfrm_policy_lock, before dropping it. Use __xfrm_policy_inexact_prune_bin() directly since the lock is already held. The wrapper xfrm_policy_inexact_prune_bin() becomes unused and is removed.

Race: CPU0 (XFRM_MSG_DELPOLICY) CPU1 (XFRM_MSG_NEWSPDINFO) ========================== xfrm_policy_bysel_ctx(): spin_lock_bh(xfrm_policy_lock) bin = xfrm_policy_inexact_lookup() __xfrm_policy_unlink(pol) spin_unlock_bh(xfrm_policy_lock) xfrm_policy_kill(ret) // wide window, lock not held xfrm_hash_rebuild(): spin_lock_bh(xfrm_policy_lock) __xfrm_policy_inexact_flush(): kfree_rcu(bin) // bin freed spin_unlock_bh(xfrm_policy_lock) xfrm_policy_inexact_prune_bin(bin) // UAF: bin is freed.

EPSS 0.00184
EPSS exploitation odds0.18% · top 91%
Monitor
  • ⚠ NVD has not scored this CVE yet - manual triage required (common for recent CVEs)
No Sigma yet — build one → YARA rules0
Look this up elsewhere - one-click external pivots
NVDCVE.orgCISAExploit-DBGitHub PoCVulnCheck KEVGreyNoise
How to read a CVE - triage first, then detect and patch
This page is every public fact about CVE-2026-53239, cross-linked. Its job is to answer one question fast - does this need my attention now? - and then hand you the two things you do about it. Here is how an analyst reads it.
Triage: should I act now? Four signals, and they are not interchangeable:
CVSSseverity - how bad it is IF exploited, 0-10. A high CVSS alone is not urgency; a flaw can be a perfect 10 and never actually be attacked. EPSSprobability - a model’s estimate of the chance it is exploited in the next 30 days, 0-1. This is the “will it actually happen” signal. CISA KEVconfirmed - it is being exploited in the wild right now. The strongest signal on the page; KEV beats any score. Weaponisedavailability - public exploits / PoCs, and especially Metasploit modules rated Excellent / Great. Reliable, packaged exploit code means low-skill attackers can use it today.
How they combine: KEV, or a dependable Metasploit module, means patch now regardless of CVSS. High CVSS + low EPSS + no exploit is real but not an emergency - schedule it. Low CVSS but KEV-listed still gets patched now. The verdict above already weighed these for you; this is how it got there.
Then what - two workflows:
Detectwhen you cannot patch today, follow this CVE to the ATT&CK techniques it enables, then Build a SIEM detection (the green button) - author a rule, test it in Atomic, deploy it. That buys visibility while the patch waits. PatchAffected products / packages tell you if you are exposed; Fixed versions by distribution and Vendor advisories give the exact version that closes it.
Reading order for the panels below: verdict + badges, then Public exploits / Metasploit (is it weaponised), then ATT&CK techniques + Sigma / IDS rules (can I detect it), then Affected products / packages + Fixed versions (am I exposed, what patches it), then Threat actors / IOCs (who uses it), then Scoring & timeline / references (the evidence).

Severity & exploitation scoring

EPSS exploitation probability
0.18%
Top 91%odds of exploitation in the next 30 days
CVSS metric silhouette
No structured CVSS vector for this CVE. Older entries often have only a numeric base score - the metric breakdown radar requires a full AV:_/AC:_/... vector string published by NVD.
SSVC triage
No SSVC vulnrichment for this CVE. CISA's Vulnrichment program scores newer CVEs (~2024 onwards) plus selected older critical ones. Use the EPSS probability + KEV status to triage instead.
Attack path
Full kill chain

ATT&CK techniques

1

Techniques this CVE enables. Pills with a solid outline are high confidence - named directly in ATT&CK or Nuclei, or human-curated by CTID; the rest are inferred from the weakness type using MITRE's CVE Mapping Methodology and the CWE → CAPEC chain. Broad, generic-weakness guesses are filtered out. A small marks a technique that N independent sources agree on.

T1499 · Endpoint Denial of Service
▤ Build a SIEM detection for these techniques
🔗

References & Sources

8
Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.
https://git.kernel.org/stable/c/25c8c7fb3b0b9668c7d05e209f58c158d2b020c7
https://git.kernel.org/stable/c/42827d03f8009a6a218bacab153e21f39d6a121c
https://git.kernel.org/stable/c/7f2d76c9c03257c0782afef9d95321fa04096f60
https://git.kernel.org/stable/c/88697cf980222d5906a37bf47662dac0732e2a0f
https://git.kernel.org/stable/c/8fc536e9f6856230f19c7d13e71af064b6a77b22
https://git.kernel.org/stable/c/b5316e2b8614a87d8736941972441cb47bfd4491
https://git.kernel.org/stable/c/c4c1ea36d83bf3c4569468ca5b8b614fda1bf821
https://git.kernel.org/stable/c/ec82ea4eb220164d854f8734ca5a35e23e577b94
SOC and Response
Detection Engineering
Threat Hunting
Red Team and Pentest
Compliance and GRC
About
threatengine.sh