CVE-2026-53300

Source
https://cve.org/CVERecord?id=CVE-2026-53300
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53300.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53300
Downstream
Published
2026-06-26T19:40:57.186Z
Modified
2026-07-08T08:13:44.785710669Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
net: enetc: fix NTMP DMA use-after-free issue
Details

In the Linux kernel, the following vulnerability has been resolved:

net: enetc: fix NTMP DMA use-after-free issue

The AI-generated review reported a potential DMA use-after-free issue [1]. If netcxmitntmpcmd() times out and returns an error, the pending command is not explicitly aborted, while ntmpfreedatamem() unconditionally frees the DMA buffer. If the buffer has already been reallocated elsewhere, this may lead to silent memory corruption. Because the hardware eventually processes the pending command and perform a DMA write of the response to the physical address of the freed buffer.

To resolve this issue, this patch does the following modifications:

  1. Convert cbdr->ring_lock from a spinlock to a mutex

The lock was originally a spinlock in case NTMP operations might be invoked from atomic context. After downstream support for all NTMP tables, no such usage has materialized. A mutex lock is now required because the driver now needs to reclaim used BDs and release associated DMA memory within the lock's context, while dmafreecoherent() might sleep.

  1. Introduce software command BD (struct netc_swcbd)

The hardware write-back overwrites the addr and len fields of the BD, so the driver cannot rely on the hardware BD to free the associated DMA memory. The driver now maintains a software shadow BD storing the DMA buffer pointer, DMA address, and size. And netcxmitntmpcmd() only reclaims older BDs when the number of used BDs reaches NETCCBDRCLEANWORK (16). The software BD enables correct DMA memory release. With this, struct ntmpdmabuf and ntmpfreedata_mem() are no longer needed and are removed.

  1. Require callers to hold ringlock across netcxmitntmpcmd()

netcxmitntmpcmd() releases the ringlock before the caller finishes consuming the response. At this point, if a concurrent thread submits a new command, it may trigger ntmpcleancbdr() and free the DMA buffer while it is still in use. Move ringlock ownership to the caller to ensure the response buffer cannot be reclaimed prematurely. So the helpers ntmpselectandlockcbdr() and ntmpunlock_cbdr() are added.

These changes eliminate the DMA use-after-free condition and ensure safe and consistent BD reclamation and DMA buffer lifecycle management.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53300.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
4701073c3debd16d7f534f3eb808bd9b50601c0c
Fixed
37c8933064be714ee672b0a0523c2fd045b73b3d
Fixed
655d9ce9b1d3db0aa5271acb5e5101c66bd0d58b
Fixed
3cade698881eb238f88cbbfec82acc2110440a3f

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53300.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.16.0
Fixed
6.18.33
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53300.json"