Impact
The vulnerability is a use‑after‑free condition in the Linux kernel’s netfilter nft_tunnel module. When an nft_tunnel object is destroyed, nft_tunnel_obj_destroy calls metadata_dst_free, which directly frees a destination metadata structure without respecting reference counts held by packets. Packets that hold a reference via dst_hold and remain queued (for example in a netem qdisc) therefore end up with a dangling pointer. When those packets are eventually dequeued, dst_release operates on freed memory, corrupting kernel memory. This flaw is identified as CWE‑1341 and can give an attacker the ability to execute code in the kernel or cause a kernel panic.
Affected Systems
All Linux kernel builds that contain the vulnerable nft_tunnel implementation and do not include the commit which replaces metadata_dst_free with dst_release are impacted. The CVE data does not list specific kernel versions, so affected users must confirm whether their kernel incorporates the referenced commit (349df61526d2e39decc685d246202e3e284cfe05). No statement can be made about whether the latest stable kernels contain the fix; verification against the patch set is required.
Risk and Exploitability
The CVSS score of 7.8 indicates high severity. The EPSS score of < 1% indicates a very low but non‑zero likelihood of exploitation, and the flaw is not listed in CISA KEV. No public exploitation evidence is available, so the risk is predominantly theoretical. Nonetheless, the potential for memory corruption in kernel context warrants proactive remediation. Likely attack vectors require privileged local access or manipulation of traffic that triggers the nft_tunnel destroy path.
OpenCVE Enrichment
Debian DLA