← Back

CVE-2026-53248

nvd nist
Published: Jun 25, 2026Modified: Jul 7, 2026

JSON object

Loading...
8.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 (Secondary)

Description

In the Linux kernel, the following vulnerability has been resolved: net: airoha: Fix use-after-free in metadata dst teardown airoha_metadata_dst_free() runs metadata_dst_free() which frees the metadata_dst with kfree() immediately, bypassing the RCU grace period. In the RX path, skb_dst_set_noref() sets a non-refcounted pointer from the skb to the metadata_dst. This function requires RCU read-side protection and the dst must remain valid until all RCU readers complete. Since metadata_dst_free() calls kfree() directly, an use-after-free can occur if any skb still holds a noref pointer to the dst when the driver tears it down. Replace metadata_dst_free() with dst_release() which properly goes through the refcount path: when the refcount drops to zero, it schedules the actual free via call_rcu_hurry(), ensuring all RCU readers have completed before the memory is freed.

Affected (8)

Products: Linux: Linux Kernel
1 product
Linux Kernel
Configuration A
8 vulnerable
Vulnerable SoftwareAffected Versions
Linux
From 6.15 to 6.18.36
From 6.19 to 7.0.13
Version 7.1 rc1
Version 7.1 rc2
Version 7.1 rc3
Version 7.1 rc4
Version 7.1 rc5
Version 7.1 rc6

References (3)

Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Patch
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Patch
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Patch

Timeline

No history available yet.