CVE-2026-53098 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work()

When the mt7915 pci chip is detaching, the mt7915_crash_data is
released in mt7915_coredump_unregister(). However, the work item
dump_work may still be running or pending, leading to UAF bugs
when the already freed crash_data is dereferenced again in
mt7915_mac_dump_work().

The race condition can occur as follows:

CPU 0 (removal path) | CPU 1 (workqueue)
mt7915_pci_remove() | mt7915_sys_recovery_set()
mt7915_unregister_device() | mt7915_reset()
mt7915_coredump_unregister() | queue_work()
vfree(dev->coredump.crash_data) | mt7915_mac_dump_work()
| crash_data-> // UAF

Fix this by ensuring dump_work is properly canceled before
the crash_data is deallocated. Add cancel_work_sync() in
mt7915_unregister_device() to synchronize with any pending
or executing dump work.

Published: 2026-06-24

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A race condition exists in the mt76/mt7915 Wi‑Fi driver where the crash data structure is freed during device removal while a deferred work function may still reference it. When the freed memory is dereferenced again, a use‑after‑free bug leads to kernel memory corruption or a kernel panic. The impact is a denial of service and the same memory corruption could potentially be leveraged for a local privilege escalation if an attacker can trigger the race condition with sufficient control over the PCI device state.

Affected Systems

All Linux kernel builds that include the mt76/mt7915 driver code before the patch that adds cancel_work_sync are potentially affected. The input does not specify an explicit kernel version range, so any kernel containing the older mt7915 driver implementation may remain vulnerable until the update is applied.

Risk and Exploitability

The CVE lacks publicly available CVSS, EPSS, or KEV information, indicating no known active exploitation. However, the flaw requires local or privileged access to initiate the device removal sequence, making it an out‑of‑band local risk. If an attacker can orchestrate the race condition, the impact is high, but the exploitation complexity and prerequisite conditions reduce the overall likelihood under typical scenarios.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`4dbcb9125cc3e10a6d879c10e4f5816d05a87c49`	affected	< 6d5202409467d621b6d1dfd7fc7dadb997fe66d2
`4dbcb9125cc3e10a6d879c10e4f5816d05a87c49`	affected	< e6856af8a22a8e2cd18241a465ed00c2301b3a5e
`4dbcb9125cc3e10a6d879c10e4f5816d05a87c49`	affected	< 6b7cbb13c838cf2a5f2e7be0e96fe15250087939
`4dbcb9125cc3e10a6d879c10e4f5816d05a87c49`	affected	< 21ce6d867867645fff0ef657be18f61d9f39dcd8
`4dbcb9125cc3e10a6d879c10e4f5816d05a87c49`	affected	< 1146d0946b5358fad24812bd39d68f31cd40cc34

Linux

affected

Version	Status	Constraints
`6.2`	affected	—
`0`	unaffected	< 6.2
`6.6.141`	unaffected	≤ 6.6.*
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor-supplied kernel patch that incorporates the cancel_work_sync fix for the mt7915 driver
Ensure the updated kernel image and modules are rebuilt and loaded, confirming the driver code has been updated
Avoid hot‑plugging or removing the affected PCI device while the system is running; rely on proper shutdown procedures to prevent the race condition

Generated by OpenCVE AI on June 24, 2026 at 20:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1146d0946b5358fad24812bd39d68f31cd40cc34
https://git.kernel.org/stable/c/21ce6d867867645fff0ef657be18f61d9f39dcd8
https://git.kernel.org/stable/c/6b7cbb13c838cf2a5f2e7be0e96fe15250087939
https://git.kernel.org/stable/c/6d5202409467d621b6d1dfd7fc7dadb997fe66d2
https://git.kernel.org/stable/c/e6856af8a22a8e2cd18241a465ed00c2301b3a5e

History

Wed, 24 Jun 2026 21:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work() When the mt7915 pci chip is detaching, the mt7915_crash_data is released in mt7915_coredump_unregister(). However, the work item dump_work may still be running or pending, leading to UAF bugs when the already freed crash_data is dereferenced again in mt7915_mac_dump_work(). The race condition can occur as follows: CPU 0 (removal path) \| CPU 1 (workqueue) mt7915_pci_remove() \| mt7915_sys_recovery_set() mt7915_unregister_device() \| mt7915_reset() mt7915_coredump_unregister() \| queue_work() vfree(dev->coredump.crash_data) \| mt7915_mac_dump_work() \| crash_data-> // UAF Fix this by ensuring dump_work is properly canceled before the crash_data is deallocated. Add cancel_work_sync() in mt7915_unregister_device() to synchronize with any pending or executing dump work.
Title		wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1146d0946b5358fad24812bd39d68f31cd40cc34 https://git.kernel.org/stable/c/21ce6d867867645fff0ef657be18f61d9f39dcd8 https://git.kernel.org/stable/c/6b7cbb13c838cf2a5f2e7be0e96fe15250087939 https://git.kernel.org/stable/c/6d5202409467d621b6d1dfd7fc7dadb997fe66d2 https://git.kernel.org/stable/c/e6856af8a22a8e2cd18241a465ed00c2301b3a5e

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:30:35.887Z

Updated: 2026-06-24T16:30:35.887Z

Reserved: 2026-06-09T07:44:35.384Z

Link: CVE-2026-53098

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T21:00:11Z

Weaknesses

CWE-416
Use After Free

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object