9.8

CVE-2026-53247

net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown

In the Linux kernel, the following vulnerability has been resolved:

net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown

mtk_free_dev() calls metadata_dst_free() which frees the metadata_dst
with kfree() immediately, bypassing the RCU grace period.
In the RX path, skb_dst_set_noref() sets a non-refcounted pointer from
the skb to the metadata_dst. This function requires RCU read-side
protection and the dst must remain valid until all RCU readers complete.
Since metadata_dst_free() calls kfree() directly, a use-after-free can
occur if any skb still holds a noref pointer to the dst when the driver
tears it down.
Replace metadata_dst_free() with dst_release() which properly goes
through the refcount path: when the refcount drops to zero, it schedules
the actual free via call_rcu_hurry(), ensuring all RCU readers have
completed before the memory is freed.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 6.2 < 6.6.143
LinuxLinux Kernel Version >= 6.7 < 6.12.94
LinuxLinux Kernel Version >= 6.13 < 6.18.36
LinuxLinux Kernel Version >= 6.19 < 7.0.13
LinuxLinux Kernel Version7.1 Updaterc1
LinuxLinux Kernel Version7.1 Updaterc2
LinuxLinux Kernel Version7.1 Updaterc3
LinuxLinux Kernel Version7.1 Updaterc4
LinuxLinux Kernel Version7.1 Updaterc5
LinuxLinux Kernel Version7.1 Updaterc6
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.51% 0.394
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/72775977e89c25c99ee84d2c5baa3f86a8ba5cb4
Patch
https://git.kernel.org/stable/c/459c6f35c58cf0fd5247e55d73ddaa29571d9b7e
Patch
https://git.kernel.org/stable/c/e634408d2b0cd939cfe019398a21fb47b7a8ffe3
Patch
https://git.kernel.org/stable/c/2d86aeb46d5f69c704065a8c69822582787272a1
Patch
https://git.kernel.org/stable/c/80df409e1a483676826a6c66e693dba6ac507751
Patch