In the Linux kernel, the following vulnerability has been resolved:
net: usb: rtl8150: fix use-after-free in rtl8150startxmit()
syzbot reported a KASAN slab-use-after-free read in rtl8150startxmit() when accessing skb->len for tx statistics after usbsubmiturb() has been called:
BUG: KASAN: slab-use-after-free in rtl8150startxmit+0x71f/0x760 drivers/net/usb/rtl8150.c:712 Read of size 4 at addr ffff88810eb7a930 by task kworker/0:4/5226
The URB completion handler writebulkcallback() frees the skb via devkfreeskbirq(dev->txskb). The URB may complete on another CPU in softirq context before usbsubmiturb() returns in the submitter, so by the time the submitter reads skb->len the skb has already been queued to the per-CPU completionqueue and freed by nettx_action():
CPU A (xmit) CPU B (USB completion softirq) ------------ ------------------------------ dev->txskb = skb; usbsubmiturb() --+ |-------> writebulkcallback() | devkfreeskbirq(dev->txskb) | nettxaction() | napiskbcacheput() <-- free netdev->stats.tx_bytes | += skb->len; <-- UAF read
Fix it by caching skb->len before submitting the URB and using the cached value when updating the tx_bytes counter.
The pre-existing txbytes semantics are preserved: the counter tracks the original frame length (skb->len), not the ETHZLEN/USB-alignment padded "count" value that is handed to the device. Changing that would be a user-visible accounting change and is out of scope for this UAF fix.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52982.json",
"cna_assigner": "Linux"
}