Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_tunnel: fix use-after-free on object destroy

nft_tunnel_obj_destroy() calls metadata_dst_free() which directly
kfree()s the metadata_dst, ignoring the dst_entry refcount. Packets
that took a reference via dst_hold() in nft_tunnel_obj_eval() and
are still queued (e.g. in a netem qdisc) are left with a dangling
pointer. When these packets are eventually dequeued, dst_release()
operates on freed memory.

Replace metadata_dst_free() with dst_release() so the metadata_dst
is freed only after all references are dropped. The dst subsystem
already handles metadata_dst cleanup in dst_destroy() when
DST_METADATA is set.
Published: 2026-06-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free condition in the Linux kernel’s netfilter nft_tunnel module. When an nft_tunnel object is destroyed, nft_tunnel_obj_destroy calls metadata_dst_free, which directly frees a destination metadata structure without respecting reference counts held by packets. Packets that hold a reference via dst_hold and remain queued (for example in a netem qdisc) therefore end up with a dangling pointer. When those packets are eventually dequeued, dst_release operates on freed memory, corrupting kernel memory. This flaw is identified as CWE‑1341 and can give an attacker the ability to execute code in the kernel or cause a kernel panic.

Affected Systems

All Linux kernel builds that contain the vulnerable nft_tunnel implementation and do not include the commit which replaces metadata_dst_free with dst_release are impacted. The CVE data does not list specific kernel versions, so affected users must confirm whether their kernel incorporates the referenced commit (349df61526d2e39decc685d246202e3e284cfe05). No statement can be made about whether the latest stable kernels contain the fix; verification against the patch set is required.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity. The EPSS score of < 1% indicates a very low but non‑zero likelihood of exploitation, and the flaw is not listed in CISA KEV. No public exploitation evidence is available, so the risk is predominantly theoretical. Nonetheless, the potential for memory corruption in kernel context warrants proactive remediation. Likely attack vectors require privileged local access or manipulation of traffic that triggers the nft_tunnel destroy path.

Generated by OpenCVE AI on June 28, 2026 at 14:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that incorporates the commit replacing metadata_dst_free with dst_release; check vendor release notes or the patch ID 349df61526d2e39decc685d246202e3e284cfe05 to confirm the fix is present.
  • If an upgrade is not possible, download the patch from https://git.kernel.org/stable/c/349df61526d2e39decc685d246202e3e284cfe05, apply it to the kernel source tree, and rebuild the kernel with the modification to eliminate the use‑after‑free.
  • After applying the patch or upgrading, test nft_tunnel functionality by sending traffic that exercises the tunnel object lifecycle, and monitor kernel logs for any memory corruption or taint messages to ensure the issue has been fully resolved.

Generated by OpenCVE AI on June 28, 2026 at 14:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Fri, 26 Jun 2026 04:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1341
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate


Thu, 25 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_tunnel: fix use-after-free on object destroy nft_tunnel_obj_destroy() calls metadata_dst_free() which directly kfree()s the metadata_dst, ignoring the dst_entry refcount. Packets that took a reference via dst_hold() in nft_tunnel_obj_eval() and are still queued (e.g. in a netem qdisc) are left with a dangling pointer. When these packets are eventually dequeued, dst_release() operates on freed memory. Replace metadata_dst_free() with dst_release() so the metadata_dst is freed only after all references are dropped. The dst subsystem already handles metadata_dst cleanup in dst_destroy() when DST_METADATA is set.
Title netfilter: nft_tunnel: fix use-after-free on object destroy
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:40:26.976Z

Reserved: 2026-06-09T07:44:35.391Z

Link: CVE-2026-53212

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53212 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:15:08Z

Weaknesses
  • CWE-1341

    Multiple Releases of Same Resource or Handle