-

CVE-2026-53097

wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work()

In the Linux kernel, the following vulnerability has been resolved:

wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work()

When the mt7996 pci chip is detaching, the mt7996_crash_data is
released in mt7996_coredump_unregister(). However, the work item
dump_work may still be running or pending, leading to UAF bugs
when the already freed crash_data is dereferenced again in
mt7996_mac_dump_work().

The race condition can occur as follows:

CPU 0 (removal path)               | CPU 1 (workqueue)
mt7996_pci_remove()                | mt7996_sys_recovery_set()
 mt7996_unregister_device()        |  mt7996_reset()
  mt7996_coredump_unregister()     |   queue_work()
   vfree(dev->coredump.crash_data) | mt7996_mac_dump_work()
                                   |  crash_data-> // UAF

Fix this by ensuring dump_work is properly canceled before
the crash_data is deallocated. Add cancel_work_sync() in
mt7996_unregister_device() to synchronize with any pending
or executing dump work.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version 878161d5d4a469a6ef7f3fb4fe9f676bc508ee99
Version < 180182a3f23ff79430a32ca2c4c1885368ceab48
Status affected
Version 878161d5d4a469a6ef7f3fb4fe9f676bc508ee99
Version < aa4a31cd89f4fde5043ac613fe0e27014a60a60b
Status affected
Version 878161d5d4a469a6ef7f3fb4fe9f676bc508ee99
Version < 188e10f9ea3109d23c6b7643aa6ec2f5cb0faa6d
Status affected
Version 878161d5d4a469a6ef7f3fb4fe9f676bc508ee99
Version < c8f62f73bbced3a79894655bdb0b625462d956fc
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version 6.4
Status affected
Version 0
Version < 6.4
Status unaffected
Version <= 6.12.*
Version 6.12.91
Status unaffected
Version <= 6.18.*
Version 6.18.33
Status unaffected
Version <= 7.0.*
Version 7.0.10
Status unaffected
Version <= *
Version 7.1
Status unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.17% 0.063
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://git.kernel.org/stable/c/180182a3f23ff79430a32ca2c4c1885368ceab48
https://git.kernel.org/stable/c/aa4a31cd89f4fde5043ac613fe0e27014a60a60b
https://git.kernel.org/stable/c/188e10f9ea3109d23c6b7643aa6ec2f5cb0faa6d
https://git.kernel.org/stable/c/c8f62f73bbced3a79894655bdb0b625462d956fc