CVE-2026-53248

Source
https://cve.org/CVERecord?id=CVE-2026-53248
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53248.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53248
Downstream
Published
2026-06-25T08:39:41.307Z
Modified
2026-07-09T03:51:45.228196858Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
net: airoha: Fix use-after-free in metadata dst teardown
Details

In the Linux kernel, the following vulnerability has been resolved:

net: airoha: Fix use-after-free in metadata dst teardown

airohametadatadstfree() runs metadatadstfree() which frees the metadatadst with kfree() immediately, bypassing the RCU grace period. In the RX path, skbdstsetnoref() sets a non-refcounted pointer from the skb to the metadatadst. This function requires RCU read-side protection and the dst must remain valid until all RCU readers complete. Since metadatadstfree() calls kfree() directly, an use-after-free can occur if any skb still holds a noref pointer to the dst when the driver tears it down. Replace metadatadstfree() with dstrelease() which properly goes through the refcount path: when the refcount drops to zero, it schedules the actual free via callrcu_hurry(), ensuring all RCU readers have completed before the memory is freed.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53248.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
af3cf757d5c99011b9b94ea8d78aeaccc0153fdc
Fixed
6f829e2c17a53a35321268339cd252aff6d6d723
Fixed
4b5a574e033e66d2131eff1c18feef8d8643c67e
Fixed
b38cae85d1c45ff189d7ecb6ac36f41cdc3d84d0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53248.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.15.0
Fixed
6.18.36
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.13

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53248.json"