net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown

mtk_free_dev() calls metadata_dst_free() which frees the metadata_dst
with kfree() immediately, bypassing the RCU grace period.
In the RX path, skb_dst_set_noref() sets a non-refcounted pointer from
the skb to the metadata_dst. This function requires RCU read-side
protection and the dst must remain valid until all RCU readers complete.
Since metadata_dst_free() calls kfree() directly, a use-after-free can
occur if any skb still holds a noref pointer to the dst when the driver
tears it down.
Replace metadata_dst_free() with dst_release() which properly goes
through the refcount path: when the refcount drops to zero, it schedules
the actual free via call_rcu_hurry(), ensuring all RCU readers have
completed before the memory is freed.

AI Analysis

Use-after-free vulnerability in the Linux kernel's mtk_eth_soc driver

Basic Information

ID CVE-2026-53247

Source Linux

Published Jun 25, 2026 at 08:39

Modified Jun 28, 2026 at 06:40

Affected Product

Vendor Linux

Product Linux

Version 2d7605a729062bb554f03c5983d8cfb8c0b42e9c

Affected Versions Linux Linux 2d7605a729062bb554f03c5983d8cfb8c0b42e9c
Linux Linux 2d7605a729062bb554f03c5983d8cfb8c0b42e9c
Linux Linux 2d7605a729062bb554f03c5983d8cfb8c0b42e9c
Linux Linux 2d7605a729062bb554f03c5983d8cfb8c0b42e9c
Linux Linux 2d7605a729062bb554f03c5983d8cfb8c0b42e9c
Linux Linux 6.2

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor Linux Foundation

Product Linux Kernel

Version 2d7605a729062bb554f03c5983d8cfb8c0b42e9c, 6.2

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown\n\nmtk_free_dev() calls metadata_dst_free() which frees the metadata_dst\nwith kfree() immediately, bypassing the RCU grace period.\nIn the RX path, skb_dst_set_noref() sets a non-refcounted pointer from\nthe skb to the metadata_dst. This function requires RCU read-side\nprotection and the dst must remain valid until all RCU readers complete.\nSince metadata_dst_free() calls kfree() directly, a use-after-free can\noccur if any skb still holds a noref pointer to the dst when the driver\ntears it down.\nReplace metadata_dst_free() with dst_release() which properly goes\nthrough the refcount path: when the refcount drops to zero, it schedules\nthe actual free via call_rcu_hurry(), ensuring all RCU readers have\ncompleted before the memory is freed.",
    "published": "2026-06-25T08:39:40.654Z",
    "modified": "2026-06-28T06:40:53.820Z",
    "type": "cve",
    "title": "net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/72775977e89c25c99ee84d2c5baa3f86a8ba5cb4\nhttps://git.kernel.org/stable/c/459c6f35c58cf0fd5247e55d73ddaa29571d9b7e\nhttps://git.kernel.org/stable/c/e634408d2b0cd939cfe019398a21fb47b7a8ffe3\nhttps://git.kernel.org/stable/c/2d86aeb46d5f69c704065a8c69822582787272a1\nhttps://git.kernel.org/stable/c/80df409e1a483676826a6c66e693dba6ac507751",
    "id": "CVE-2026-53247",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 2d7605a729062bb554f03c5983d8cfb8c0b42e9c\nLinux Linux 2d7605a729062bb554f03c5983d8cfb8c0b42e9c\nLinux Linux 2d7605a729062bb554f03c5983d8cfb8c0b42e9c\nLinux Linux 2d7605a729062bb554f03c5983d8cfb8c0b42e9c\nLinux Linux 2d7605a729062bb554f03c5983d8cfb8c0b42e9c\nLinux Linux 6.2",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "2d7605a729062bb554f03c5983d8cfb8c0b42e9c",
    "vendor": "Linux",
    "ai_description": "Use-after-free vulnerability in the Linux kernel's mtk_eth_soc driver",
    "ai_severity": "Critical",
    "ai_vendor": "Linux Foundation",
    "ai_product": "Linux Kernel",
    "ai_version": "2d7605a729062bb554f03c5983d8cfb8c0b42e9c, 6.2",
    "ai_score": 9.8
}

net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown_CVE-2026-53247