CVE Catalog

CVE-2026-53248

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.39%

31th percentile — higher than 31% of all known CVEs

Summary

A use-after-free vulnerability was found in the airoha network driver in the Linux kernel during metadata dst teardown. The metadata_dst_free() function freed memory directly via kfree(), bypassing the RCU grace period, allowing access to freed memory through noref pointers in the RX path.

Risk Assessment

An attacker could exploit this vulnerability to gain unauthorized access to kernel memory, potentially leading to privilege escalation or sensitive data leakage.

Recommendation

Immediately update the Linux kernel to a version containing the fix that replaces metadata_dst_free() with dst_release() using proper RCU mechanism.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: net: airoha: Fix use-after-free in metadata dst teardown airoha_metadata_dst_free() runs metadata_dst_free() which frees the metadata_dst with kfree() immediately, bypassing the RCU grace period. In the RX path, skb_dst_set_noref() sets a non-refcounted pointer from the skb to the metadata_dst. This function requires RCU read-side protection and the dst must remain valid until all RCU readers complete. Since metadata_dst_free() calls kfree() directly, an use-after-free can occur if any skb still holds a noref pointer to the dst when the driver tears it down. Replace metadata_dst_free() with dst_release() which properly goes through the refcount path: when the refcount drops to zero, it schedules the actual free via call_rcu_hurry(), ensuring all RCU readers have completed before the memory is freed.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS