In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_tunnel: fix use-after-free on object destroy
nfttunnelobjdestroy() calls metadatadstfree() which directly kfree()s the metadatadst, ignoring the dstentry refcount. Packets that took a reference via dsthold() in nfttunnelobjeval() and are still queued (e.g. in a netem qdisc) are left with a dangling pointer. When these packets are eventually dequeued, dstrelease() operates on freed memory.
Replace metadatadstfree() with dstrelease() so the metadatadst is freed only after all references are dropped. The dst subsystem already handles metadatadst cleanup in dstdestroy() when DST_METADATA is set.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53212.json",
"cna_assigner": "Linux"
}