CVE-2026-53247

Source
https://cve.org/CVERecord?id=CVE-2026-53247
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53247.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53247
Downstream
Published
2026-06-25T08:39:40.654Z
Modified
2026-07-09T03:51:38.726135754Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown
Details

In the Linux kernel, the following vulnerability has been resolved:

net: ethernet: mtkethsoc: Fix use-after-free in metadata dst teardown

mtkfreedev() calls metadatadstfree() which frees the metadatadst with kfree() immediately, bypassing the RCU grace period. In the RX path, skbdstsetnoref() sets a non-refcounted pointer from the skb to the metadatadst. This function requires RCU read-side protection and the dst must remain valid until all RCU readers complete. Since metadatadstfree() calls kfree() directly, a use-after-free can occur if any skb still holds a noref pointer to the dst when the driver tears it down. Replace metadatadstfree() with dstrelease() which properly goes through the refcount path: when the refcount drops to zero, it schedules the actual free via callrcuhurry(), ensuring all RCU readers have completed before the memory is freed.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53247.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
2d7605a729062bb554f03c5983d8cfb8c0b42e9c
Fixed
72775977e89c25c99ee84d2c5baa3f86a8ba5cb4
Fixed
459c6f35c58cf0fd5247e55d73ddaa29571d9b7e
Fixed
e634408d2b0cd939cfe019398a21fb47b7a8ffe3
Fixed
2d86aeb46d5f69c704065a8c69822582787272a1
Fixed
80df409e1a483676826a6c66e693dba6ac507751

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53247.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.143
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.94
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.36
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.13

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53247.json"