In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7915: fix use-after-free bugs in mt7915macdump_work()
When the mt7915 pci chip is detaching, the mt7915crashdata is released in mt7915coredumpunregister(). However, the work item dumpwork may still be running or pending, leading to UAF bugs when the already freed crashdata is dereferenced again in mt7915macdump_work().
The race condition can occur as follows:
CPU 0 (removal path) | CPU 1 (workqueue) mt7915pciremove() | mt7915sysrecoveryset() mt7915unregisterdevice() | mt7915reset() mt7915coredumpunregister() | queuework() vfree(dev->coredump.crashdata) | mt7915macdumpwork() | crashdata-> // UAF
Fix this by ensuring dumpwork is properly canceled before the crashdata is deallocated. Add cancelworksync() in mt7915unregisterdevice() to synchronize with any pending or executing dump work.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53098.json"
}