CVE-2026-53248

UNKNOWN 0.0

net: airoha: Fix use-after-free in metadata dst teardown

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

In the Linux kernel, the following vulnerability has been resolved: net: airoha: Fix use-after-free in metadata dst teardown airoha_metadata_dst_free() runs metadata_dst_free() which frees the metadata_dst with kfree() immediately, bypassing the RCU grace period. In the RX path, skb_dst_set_noref() sets a non-refcounted pointer from the skb to the metadata_dst. This function requires RCU read-side protection and the dst must remain valid until all RCU readers complete. Since metadata_dst_free() calls kfree() directly, an use-after-free can occur if any skb still holds a noref pointer to the dst when the driver tears it down. Replace metadata_dst_free() with dst_release() which properly goes through the refcount path: when the refcount drops to zero, it schedules the actual free via call_rcu_hurry(), ensuring all RCU readers have completed before the memory is freed.

Vendor	linux
Product	linux
Ecosystems	Linux Kernel
Industries	Technology
Published	Jun 25, 2026

Stay Ahead of the Next One

Get instant alerts for linux linux

Be the first to know when new unknown vulnerabilities affecting linux linux are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Linux / Linux

af3cf757d5c99011b9b94ea8d78aeaccc0153fdc < 6f829e2c17a53a35321268339cd252aff6d6d723 af3cf757d5c99011b9b94ea8d78aeaccc0153fdc < 4b5a574e033e66d2131eff1c18feef8d8643c67e af3cf757d5c99011b9b94ea8d78aeaccc0153fdc < b38cae85d1c45ff189d7ecb6ac36f41cdc3d84d0

Linux / Linux

6.15

References

NVD ↗ CVE.org ↗ EPSS Data ↗

git.kernel.org: https://git.kernel.org/stable/c/6f829e2c17a53a35321268339cd252aff6d6d723 git.kernel.org: https://git.kernel.org/stable/c/4b5a574e033e66d2131eff1c18feef8d8643c67e git.kernel.org: https://git.kernel.org/stable/c/b38cae85d1c45ff189d7ecb6ac36f41cdc3d84d0