9.8

CVE-2026-52982

net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()

In the Linux kernel, the following vulnerability has been resolved:

net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()

syzbot reported a KASAN slab-use-after-free read in rtl8150_start_xmit()
when accessing skb->len for tx statistics after usb_submit_urb() has
been called:

  BUG: KASAN: slab-use-after-free in rtl8150_start_xmit+0x71f/0x760
    drivers/net/usb/rtl8150.c:712
  Read of size 4 at addr ffff88810eb7a930 by task kworker/0:4/5226

The URB completion handler write_bulk_callback() frees the skb via
dev_kfree_skb_irq(dev->tx_skb). The URB may complete on another CPU
in softirq context before usb_submit_urb() returns in the submitter,
so by the time the submitter reads skb->len the skb has already been
queued to the per-CPU completion_queue and freed by net_tx_action():

  CPU A (xmit)                      CPU B (USB completion softirq)
  ------------                      ------------------------------
  dev->tx_skb = skb;
  usb_submit_urb()      --+
                          |-------> write_bulk_callback()
                          |           dev_kfree_skb_irq(dev->tx_skb)
                          |         net_tx_action()
                          |           napi_skb_cache_put()   <-- free
  netdev->stats.tx_bytes  |
    += skb->len;          <-- UAF read

Fix it by caching skb->len before submitting the URB and using the
cached value when updating the tx_bytes counter.

The pre-existing tx_bytes semantics are preserved: the counter tracks
the original frame length (skb->len), not the ETH_ZLEN/USB-alignment
padded "count" value that is handed to the device.  Changing that
would be a user-visible accounting change and is out of scope for
this UAF fix.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version < 5af290c86fa81ddbc86a08d54229af5daa40c6a4
Status affected
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version < 24831b0b2ada9fef18d1f486b7b7c444ee5ba637
Status affected
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version < 423b5b86e14e190f6e3161eb5f2ea5f908295ba7
Status affected
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version < 5db090ca07b28a63fb1499690cf19a3f3adafacb
Status affected
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version < 30cf9829d09ca958279c937af8e35495cd2f1e09
Status affected
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version < 6999d70e0eda39af029fa1891c48f0a8832b09d5
Status affected
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version < 4dd7eb94f79486b77ca6b4c8676aedbc465dc802
Status affected
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version < 23f0e34c64acba15cad4d23e50f41f533da195fa
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version 2.6.12
Status affected
Version 0
Version < 2.6.12
Status unaffected
Version <= 5.10.*
Version 5.10.258
Status unaffected
Version <= 5.15.*
Version 5.15.209
Status unaffected
Version <= 6.1.*
Version 6.1.175
Status unaffected
Version <= 6.6.*
Version 6.6.141
Status unaffected
Version <= 6.12.*
Version 6.12.91
Status unaffected
Version <= 6.18.*
Version 6.18.33
Status unaffected
Version <= 7.0.*
Version 7.0.10
Status unaffected
Version <= *
Version 7.1
Status unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.54% 0.415
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://git.kernel.org/stable/c/5af290c86fa81ddbc86a08d54229af5daa40c6a4
https://git.kernel.org/stable/c/24831b0b2ada9fef18d1f486b7b7c444ee5ba637
https://git.kernel.org/stable/c/423b5b86e14e190f6e3161eb5f2ea5f908295ba7
https://git.kernel.org/stable/c/5db090ca07b28a63fb1499690cf19a3f3adafacb
https://git.kernel.org/stable/c/30cf9829d09ca958279c937af8e35495cd2f1e09
https://git.kernel.org/stable/c/6999d70e0eda39af029fa1891c48f0a8832b09d5
https://git.kernel.org/stable/c/4dd7eb94f79486b77ca6b4c8676aedbc465dc802
https://git.kernel.org/stable/c/23f0e34c64acba15cad4d23e50f41f533da195fa