CVE Catalog

CVE-2026-52971

HighCVSS 7.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.13%

3th percentile — higher than 3% of all known CVEs

Summary

In the Linux kernel, a use-after-free vulnerability was found in the ena network driver's get_timestamp function. The issue is due to missing synchronization when checking the active flag and reading the DMA memory pointer, which can lead to NULL pointer dereference.

Risk Assessment

An attacker could exploit this vulnerability to cause a kernel panic or potentially escalate privileges if they can control the freed memory.

Recommendation

Immediately update the Linux kernel to a version containing the fix (commit addressing the issue). Check for the patch in your distribution and apply it.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: net: ena: PHC: Fix potential use-after-free in get_timestamp Move the phc->active check and resp pointer assignment to after acquiring the spinlock. Previously, phc->active was checked without holding the lock, and resp was cached from ena_dev->phc.virt_addr before the lock was acquired. If ena_com_phc_destroy() runs between the lockless active check and the lock acquisition, it sets active=false, releases the lock, frees the DMA memory, and sets virt_addr=NULL. The get_timestamp path would then read a NULL virt_addr and dereference it. With both the active check and the pointer read under the lock, destroy cannot free the memory while get_timestamp is using it.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS