CVE-2026-53098

Source
https://cve.org/CVERecord?id=CVE-2026-53098
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53098.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53098
Downstream
Published
2026-06-24T16:30:35.887Z
Modified
2026-07-16T03:30:58.951354222Z
Summary
wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work()
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: mt76: mt7915: fix use-after-free bugs in mt7915macdump_work()

When the mt7915 pci chip is detaching, the mt7915crashdata is released in mt7915coredumpunregister(). However, the work item dumpwork may still be running or pending, leading to UAF bugs when the already freed crashdata is dereferenced again in mt7915macdump_work().

The race condition can occur as follows:

CPU 0 (removal path) | CPU 1 (workqueue) mt7915pciremove() | mt7915sysrecoveryset() mt7915unregisterdevice() | mt7915reset() mt7915coredumpunregister() | queuework() vfree(dev->coredump.crashdata) | mt7915macdumpwork() | crashdata-> // UAF

Fix this by ensuring dumpwork is properly canceled before the crashdata is deallocated. Add cancelworksync() in mt7915unregisterdevice() to synchronize with any pending or executing dump work.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53098.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
4dbcb9125cc3e10a6d879c10e4f5816d05a87c49
Fixed
6d5202409467d621b6d1dfd7fc7dadb997fe66d2
Fixed
e6856af8a22a8e2cd18241a465ed00c2301b3a5e
Fixed
6b7cbb13c838cf2a5f2e7be0e96fe15250087939
Fixed
21ce6d867867645fff0ef657be18f61d9f39dcd8
Fixed
1146d0946b5358fad24812bd39d68f31cd40cc34

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53098.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.141
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.91
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.33
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53098.json"