In the Linux kernel, the following vulnerability has been resolved:
net: ena: PHC: Fix potential use-after-free in get_timestamp
Move the phc->active check and resp pointer assignment to after acquiring the spinlock. Previously, phc->active was checked without holding the lock, and resp was cached from enadev->phc.virtaddr before the lock was acquired.
If enacomphcdestroy() runs between the lockless active check and the lock acquisition, it sets active=false, releases the lock, frees the DMA memory, and sets virtaddr=NULL. The gettimestamp path would then read a NULL virtaddr and dereference it.
With both the active check and the pointer read under the lock, destroy cannot free the memory while get_timestamp is using it.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52971.json",
"cna_assigner": "Linux"
}