CVE-2026-53234

Source
https://cve.org/CVERecord?id=CVE-2026-53234
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53234.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53234
Downstream
Related
Published
2026-06-25T08:39:31.852Z
Modified
2026-07-10T03:53:55.571677362Z
Summary
net: ibm: emac: Fix use-after-free during device removal
Details

In the Linux kernel, the following vulnerability has been resolved:

net: ibm: emac: Fix use-after-free during device removal

The driver was using devmregisternetdev() which causes unregisternetdev() to be deferred until the devres cleanup phase, which runs after emacremove() returns. This creates a use-after-free window where:

  1. emac_remove() is called, which tears down hardware (cancels work, detaches modules, unregisters from MAL)
  2. emac_remove() returns
  3. devres cleanup runs and finally calls unregister_netdev()

During step 3, the network stack might still process packets, triggering emacirq(), emacpoll(), or other handlers that access now-freed hardware resources (dev->emacp, dev->mal, etc.).

Fix this by replacing devmregisternetdev() with manual registernetdev() and calling unregisternetdev() at the beginning of emac_remove(), before any hardware teardown. This ensures the network device is fully stopped and unregistered before hardware resources are released.

The change is safe because: - dev->ndev is assigned very early in probe (before any error paths that could bypass emacremove) - platformsetdrvdata() is only called after successful registration, so emacremove() only runs for fully registered devices - unregister_netdev() is idempotent and safe to call on any registered device

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53234.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a4dd8535a527061a01f2fd335596fa77ca240a96
Fixed
cf8e14db93eaecc4c0c58299be3b3183b0e53ed5
Fixed
c09c2e236eef6f59e105f38a30f5439e6ccbcad7
Fixed
c12584cd6078085d707266be864e7e1cc91d74e3
Fixed
a0130d682222ae21afc395aead7cd2d87e1a8358

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53234.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.12.0
Fixed
6.12.94
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.36
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.13

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53234.json"