CVE-2026-53097
UnknownSummary
A vulnerability has been identified in the Linux kernel related to use-after-free bugs in the mt7996_mac_dump_work() function. The issue occurs when the mt7996 PCI chip is being detached, and the crash_data is released while the dump_work task may still be running or pending.
Risk Assessment
This vulnerability may lead to unexpected system behavior, potentially resulting in crashes or data integrity violations. Organizations should be aware of the risks associated with using vulnerable kernel versions.
Recommendation
It is recommended to update the Linux kernel to a version that includes a fix for this vulnerability. Additionally, ensure that dump_work tasks are properly canceled before deallocating crash_data.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work() When the mt7996 pci chip is detaching, the mt7996_crash_data is released in mt7996_coredump_unregister(). However, the work item dump_work may still be running or pending, leading to UAF bugs when the already freed crash_data is dereferenced again in mt7996_mac_dump_work(). The race condition can occur as follows: CPU 0 (removal path) | CPU 1 (workqueue) mt7996_pci_remove() | mt7996_sys_recovery_set() mt7996_unregister_device() | mt7996_reset() mt7996_coredump_unregister() | queue_work() vfree(dev->coredump.crash_data) | mt7996_mac_dump_work() | crash_data-> // UAF Fix this by ensuring dump_work is properly canceled before the crash_data is deallocated. Add cancel_work_sync() in mt7996_unregister_device() to synchronize with any pending or executing dump work.

