CVE-2026-52971 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

net: ena: PHC: Fix potential use-after-free in get_timestamp

Move the phc->active check and resp pointer assignment to after
acquiring the spinlock. Previously, phc->active was checked without
holding the lock, and resp was cached from ena_dev->phc.virt_addr
before the lock was acquired.

If ena_com_phc_destroy() runs between the lockless active check and
the lock acquisition, it sets active=false, releases the lock, frees
the DMA memory, and sets virt_addr=NULL. The get_timestamp path would
then read a NULL virt_addr and dereference it.

With both the active check and the pointer read under the lock,
destroy cannot free the memory while get_timestamp is using it.

Published: 2026-06-24

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The flaw originates from a use‑after‑free vulnerability within the net/ena driver’s PHC timestamp path. A device’s active flag and DMA pointer were checked and cached without holding the protecting spinlock. If the PHC device is destroyed concurrently, the cached pointer can become NULL and the subsequent dereference corrupts kernel memory, potentially crashing the system or allowing an attacker to execute arbitrary code.

Affected Systems

All Linux kernel installations that contain the ena network driver are affected. The vulnerability is a property of the kernel kernel itself and applies to any distribution or vendor that has not incorporated the recent commit that moves the active check and pointer read inside the spinlock region.

Risk and Exploitability

The CVSS score is not published and the EPSS score is currently unavailable, so the precise exploitation likelihood cannot be quantified. The likely attack vector is that an attacker with local or privileged access could trigger destruction of the ENA PHC device while a timestamp read occurs, causing the use‑after‑free. The flaw is listed as a high‑severity kernel device driver issue and is not included in CISA’s KEV catalog, indicating no known active exploitation at this time, yet the memory corruption potential warrants prompt remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`e0ea34158ee8c4f7536cd781010339ff28c0d24c`	affected	< 95e8ae9af2a61b4e72f5c585bf4c7d8aaf2a2c98
`e0ea34158ee8c4f7536cd781010339ff28c0d24c`	affected	< ca9ed40f28949353911dcb524ff8fff2f3409c97
`e0ea34158ee8c4f7536cd781010339ff28c0d24c`	affected	< e42c755582f0960e684298762f0ab927b3778376

Linux

affected

Version	Status	Constraints
`6.17`	affected	—
`0`	unaffected	< 6.17
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update to a kernel release that includes the ena driver fix (commits 95e8ae9af2a61b4e72f5c585bf4c7d8aaf2a2c98 or later).
If a kernel update is unavailable, prevent use of the ena network adapter by unloading the ena module or disabling the driver in system configuration.
As a temporary measure, isolate affected systems from networks where privileged access is limited and monitor for kernel crashes or abnormal behavior.

Generated by OpenCVE AI on June 24, 2026 at 19:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/95e8ae9af2a61b4e72f5c585bf4c7d8aaf2a2c98
https://git.kernel.org/stable/c/ca9ed40f28949353911dcb524ff8fff2f3409c97
https://git.kernel.org/stable/c/e42c755582f0960e684298762f0ab927b3778376

History

Wed, 24 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net: ena: PHC: Fix potential use-after-free in get_timestamp Move the phc->active check and resp pointer assignment to after acquiring the spinlock. Previously, phc->active was checked without holding the lock, and resp was cached from ena_dev->phc.virt_addr before the lock was acquired. If ena_com_phc_destroy() runs between the lockless active check and the lock acquisition, it sets active=false, releases the lock, frees the DMA memory, and sets virt_addr=NULL. The get_timestamp path would then read a NULL virt_addr and dereference it. With both the active check and the pointer read under the lock, destroy cannot free the memory while get_timestamp is using it.
Title		net: ena: PHC: Fix potential use-after-free in get_timestamp
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/95e8ae9af2a61b4e72f5c585bf4c7d8aaf2a2c98 https://git.kernel.org/stable/c/ca9ed40f28949353911dcb524ff8fff2f3409c97 https://git.kernel.org/stable/c/e42c755582f0960e684298762f0ab927b3778376

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:28:49.637Z

Updated: 2026-06-24T16:28:49.637Z

Reserved: 2026-06-09T07:44:35.375Z

Link: CVE-2026-52971

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T19:15:15Z

Weaknesses

CWE-416
Use After Free

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object