Description
In the Linux kernel, the following vulnerability has been resolved:

wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work()

When the mt7996 pci chip is detaching, the mt7996_crash_data is
released in mt7996_coredump_unregister(). However, the work item
dump_work may still be running or pending, leading to UAF bugs
when the already freed crash_data is dereferenced again in
mt7996_mac_dump_work().

The race condition can occur as follows:

CPU 0 (removal path) | CPU 1 (workqueue)
mt7996_pci_remove() | mt7996_sys_recovery_set()
mt7996_unregister_device() | mt7996_reset()
mt7996_coredump_unregister() | queue_work()
vfree(dev->coredump.crash_data) | mt7996_mac_dump_work()
| crash_data-> // UAF

Fix this by ensuring dump_work is properly canceled before
the crash_data is deallocated. Add cancel_work_sync() in
mt7996_unregister_device() to synchronize with any pending
or executing dump work.
Published: 2026-06-24
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free bug exists in the mt76 driver for the MT7996 PCIe wireless chip in the Linux kernel. When the device is removed, its crash data structure is freed while a pending work item continues to reference it, leading to undefined kernel behavior. The bug can corrupt memory, cause a kernel panic or result in a denial of service. The vulnerability is limited to local kernel context and would require a privileged user to trigger the device removal or hot‑plug scenario.

Affected Systems

All Linux kernel builds that include the mt76 driver for MT7996 wireless devices and lack the recent patch that cancels pending work before freeing the crash data. The specific kernel version is not listed, but any kernel older than the commit that introduced cancel_work_sync in mt7996_unregister_device is affected.

Risk and Exploitability

The exploit is local; an attacker with kernel or privileged user rights can trigger device detachment to cause a use‑after‑free. No remote network vector is indicated. The EPSS score is not available and the issue is not listed in CISA KEV, so the measurable risk exposure is currently unclear, but kernel crashes directly impact availability and could enable privilege escalation if memory corruption is exploitable further.

Generated by OpenCVE AI on June 24, 2026 at 20:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel update that contains the mt76 mt7996 use‑after‑free fix (e.g., commit 180182a3f23ff79430a32ca2c4c1885368ceab48).
  • If a kernel upgrade is not immediately possible, restrict privileged users from performing hot removal of the MT7996 device so that the device removal path does not occur unexpectedly.
  • As a temporary measure, monitor for kernel panics or crash logs; if a crash occurs, reboot to restore service until the patch can be applied.

Generated by OpenCVE AI on June 24, 2026 at 20:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work() When the mt7996 pci chip is detaching, the mt7996_crash_data is released in mt7996_coredump_unregister(). However, the work item dump_work may still be running or pending, leading to UAF bugs when the already freed crash_data is dereferenced again in mt7996_mac_dump_work(). The race condition can occur as follows: CPU 0 (removal path) | CPU 1 (workqueue) mt7996_pci_remove() | mt7996_sys_recovery_set() mt7996_unregister_device() | mt7996_reset() mt7996_coredump_unregister() | queue_work() vfree(dev->coredump.crash_data) | mt7996_mac_dump_work() | crash_data-> // UAF Fix this by ensuring dump_work is properly canceled before the crash_data is deallocated. Add cancel_work_sync() in mt7996_unregister_device() to synchronize with any pending or executing dump work.
Title wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:30:35.223Z

Reserved: 2026-06-09T07:44:35.384Z

Link: CVE-2026-53097

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T21:00:11Z

Weaknesses