CVE Catalog

CVE-2026-52982

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.54%

41th percentile — higher than 41% of all known CVEs

Summary

A use-after-free vulnerability was discovered in the Linux kernel's rtl8150 driver for USB Ethernet devices. The issue occurs when rtl8150_start_xmit() reads skb->len after calling usb_submit_urb(), while the skb buffer may be freed by the USB completion handler before the transmission completes.

Risk Assessment

An attacker could exploit this vulnerability to achieve remote code execution or cause a denial of service (DoS) by sending specially crafted network traffic to a vulnerable USB Ethernet device.

Recommendation

Immediately update the Linux kernel to a version containing the fix that caches the skb->len value before calling usb_submit_urb(). Monitor your distribution for the availability of the patch.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit() syzbot reported a KASAN slab-use-after-free read in rtl8150_start_xmit() when accessing skb->len for tx statistics after usb_submit_urb() has been called: BUG: KASAN: slab-use-after-free in rtl8150_start_xmit+0x71f/0x760 drivers/net/usb/rtl8150.c:712 Read of size 4 at addr ffff88810eb7a930 by task kworker/0:4/5226 The URB completion handler write_bulk_callback() frees the skb via dev_kfree_skb_irq(dev->tx_skb). The URB may complete on another CPU in softirq context before usb_submit_urb() returns in the submitter, so by the time the submitter reads skb->len the skb has already been queued to the per-CPU completion_queue and freed by net_tx_action(): CPU A (xmit) CPU B (USB completion softirq) ------------ ------------------------------ dev->tx_skb = skb; usb_submit_urb() --+ |-------> write_bulk_callback() | dev_kfree_skb_irq(dev->tx_skb) | net_tx_action() | napi_skb_cache_put() <-- free netdev->stats.tx_bytes | += skb->len; <-- UAF read Fix it by caching skb->len before submitting the URB and using the cached value when updating the tx_bytes counter. The pre-existing tx_bytes semantics are preserved: the counter tracks the original frame length (skb->len), not the ETH_ZLEN/USB-alignment padded "count" value that is handed to the device. Changing that would be a user-visible accounting change and is out of scope for this UAF fix.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS