CVE-2026-53247
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk39th percentile — higher than 39% of all known CVEs
Summary
In the Linux kernel, a use-after-free vulnerability was found in the mtk_eth_soc driver. The mtk_free_dev() function calls metadata_dst_free() which frees metadata_dst memory immediately, bypassing the RCU grace period. In the RX path, skb_dst_set_noref() sets a non-refcounted pointer, which can lead to use of freed memory if the driver is torn down while packets still reference the dst.
Risk Assessment
The risk involves a use-after-free bug that could cause system crashes, data leaks, or potential arbitrary code execution in kernel context by an attacker.
Recommendation
It is recommended to immediately update the Linux kernel to a version containing the fix, which replaces metadata_dst_free() with dst_release(), ensuring safe memory deallocation with proper RCU grace period handling.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown mtk_free_dev() calls metadata_dst_free() which frees the metadata_dst with kfree() immediately, bypassing the RCU grace period. In the RX path, skb_dst_set_noref() sets a non-refcounted pointer from the skb to the metadata_dst. This function requires RCU read-side protection and the dst must remain valid until all RCU readers complete. Since metadata_dst_free() calls kfree() directly, a use-after-free can occur if any skb still holds a noref pointer to the dst when the driver tears it down. Replace metadata_dst_free() with dst_release() which properly goes through the refcount path: when the refcount drops to zero, it schedules the actual free via call_rcu_hurry(), ensuring all RCU readers have completed before the memory is freed.

