netfilter: nft_tunnel: fix use-after-free on object destroy_CVE-2026-53212

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_tunnel: fix use-after-free on object destroy

nft_tunnel_obj_destroy() calls metadata_dst_free() which directly
kfree()s the metadata_dst, ignoring the dst_entry refcount. Packets
that took a reference via dst_hold() in nft_tunnel_obj_eval() and
are still queued (e.g. in a netem qdisc) are left with a dangling
pointer. When these packets are eventually dequeued, dst_release()
operates on freed memory.

Replace metadata_dst_free() with dst_release() so the metadata_dst
is freed only after all references are dropped. The dst subsystem
already handles metadata_dst cleanup in dst_destroy() when
DST_METADATA is set.

Basic Information

ID CVE-2026-53212

Source Linux

Published Jun 25, 2026 at 08:39

Modified Jun 28, 2026 at 06:40

Affected Product

Vendor Linux

Product Linux

Version af308b94a2a4a5a27bec9028354c4df444a7c8ba

Affected Versions Linux Linux af308b94a2a4a5a27bec9028354c4df444a7c8ba
Linux Linux af308b94a2a4a5a27bec9028354c4df444a7c8ba
Linux Linux af308b94a2a4a5a27bec9028354c4df444a7c8ba
Linux Linux af308b94a2a4a5a27bec9028354c4df444a7c8ba
Linux Linux af308b94a2a4a5a27bec9028354c4df444a7c8ba
Linux Linux af308b94a2a4a5a27bec9028354c4df444a7c8ba
Linux Linux af308b94a2a4a5a27bec9028354c4df444a7c8ba
Linux Linux af308b94a2a4a5a27bec9028354c4df444a7c8ba
Linux Linux 4.19

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_tunnel: fix use-after-free on object destroy\n\nnft_tunnel_obj_destroy() calls metadata_dst_free() which directly\nkfree()s the metadata_dst, ignoring the dst_entry refcount. Packets\nthat took a reference via dst_hold() in nft_tunnel_obj_eval() and\nare still queued (e.g. in a netem qdisc) are left with a dangling\npointer. When these packets are eventually dequeued, dst_release()\noperates on freed memory.\n\nReplace metadata_dst_free() with dst_release() so the metadata_dst\nis freed only after all references are dropped. The dst subsystem\nalready handles metadata_dst cleanup in dst_destroy() when\nDST_METADATA is set.",
    "published": "2026-06-25T08:39:16.888Z",
    "modified": "2026-06-28T06:40:26.976Z",
    "type": "cve",
    "title": "netfilter: nft_tunnel: fix use-after-free on object destroy",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/349df61526d2e39decc685d246202e3e284cfe05\nhttps://git.kernel.org/stable/c/55b79b1ae42372012413ce0413181d26679b17ef\nhttps://git.kernel.org/stable/c/5e9ee18b27fde88cb6148202b33916c66693fe82\nhttps://git.kernel.org/stable/c/8767fe4079affa74314d7eb3220e700150289842\nhttps://git.kernel.org/stable/c/fda6573a46ad24f35348e024905ee5bdf729797e\nhttps://git.kernel.org/stable/c/941d7394efda5e054e2d6f3e0dd0f6a9ba19aaa3\nhttps://git.kernel.org/stable/c/f9a0e4b61054cde89a2a77845293c726cc07cc43\nhttps://git.kernel.org/stable/c/c32b26aaa2f9216520a38b3f4bfeec846eb3eb8a",
    "id": "CVE-2026-53212",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux af308b94a2a4a5a27bec9028354c4df444a7c8ba\nLinux Linux af308b94a2a4a5a27bec9028354c4df444a7c8ba\nLinux Linux af308b94a2a4a5a27bec9028354c4df444a7c8ba\nLinux Linux af308b94a2a4a5a27bec9028354c4df444a7c8ba\nLinux Linux af308b94a2a4a5a27bec9028354c4df444a7c8ba\nLinux Linux af308b94a2a4a5a27bec9028354c4df444a7c8ba\nLinux Linux af308b94a2a4a5a27bec9028354c4df444a7c8ba\nLinux Linux af308b94a2a4a5a27bec9028354c4df444a7c8ba\nLinux Linux 4.19",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "af308b94a2a4a5a27bec9028354c4df444a7c8ba",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply