The vulnerability is a use-after-free condition in the Linux kernel’s netfilter nft_tunnel code. During object destruction, the code calls metadata_dst_free() which directly frees a destination metadata structure without accounting for reference counts held by packets. Packets that have a reference via dst_hold() and are queued in interfaces such as a netem qdisc end up referencing freed memory. When those packets are later dequeued, dst_release() operates on this invalid pointer, potentially corrupting kernel memory. This flaw is categorized as CWE‑416 and can enable an attacker who can trigger the deallocation path to perform arbitrary code execution or cause a kernel panic, resulting in denial of service.

All Linux kernel builds that contain the vulnerable nft_tunnel implementation are impacted. No specific release numbers are listed, but the issue exists in any kernel prior to the commit that replaces metadata_dst_free() with dst_release(). Users should verify whether their installed kernel contains the fix from the referenced git patches.

CWE‑416 vulnerabilities in the kernel are considered high severity. Although no EPSS score is currently available and the flaw is not listed in the CISA KEV catalog, the potential for memory corruption and the kernel context imply a high likelihood of serious impact. In the absence of public exploitation evidence, the risk remains primarily theoretical, but proactive remediation is advised to prevent possible exploitation by malicious actors.