Description
In the Linux kernel, the following vulnerability has been resolved:

net: ibm: emac: Fix use-after-free during device removal

The driver was using devm_register_netdev() which causes unregister_netdev()
to be deferred until the devres cleanup phase, which runs after emac_remove()
returns. This creates a use-after-free window where:

1. emac_remove() is called, which tears down hardware (cancels work, detaches
modules, unregisters from MAL)
2. emac_remove() returns
3. devres cleanup runs and finally calls unregister_netdev()

During step 3, the network stack might still process packets, triggering
emac_irq(), emac_poll(), or other handlers that access now-freed hardware
resources (dev->emacp, dev->mal, etc.).

Fix this by replacing devm_register_netdev() with manual register_netdev()
and calling unregister_netdev() at the beginning of emac_remove(), before
any hardware teardown. This ensures the network device is fully stopped and
unregistered before hardware resources are released.

The change is safe because:
- dev->ndev is assigned very early in probe (before any error paths that
could bypass emac_remove)
- platform_set_drvdata() is only called after successful registration, so
emac_remove() only runs for fully registered devices
- unregister_netdev() is idempotent and safe to call on any registered device
Published: 2026-06-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s IBM emac network driver contains a use‑after‑free flaw that occurs when a device is removed. During the removal sequence, devm_register_netdev() defers the call to unregister_netdev() until the devres cleanup phase, which runs after the hardware teardown performed by emac_remove(). While the driver is still tearing down the hardware, the networking stack can process packets or invoke interrupt handlers that reference the now‑freed hardware resources, resulting in memory corruption or a kernel crash. This weakness is a classic use‑after‑free and is listed under CWE‑364 for use of freed memory.

Affected Systems

The Emac driver is part of the Linux kernel. No specific kernel version numbers are provided in the CVE description, so any kernel build that still contains the original emac implementation prior to this patch is potentially affected. The vulnerability is identified through the Linux all kernel images that include the unpatched Emac driver.

Risk and Exploitability

The vulnerability is not listed in CISA KEV and the EPSS score is reported as less than 1%, indicating a very low likelihood of exploitation. The CV specify the privilege level required to trigger the removal of the Emac device; an attacker would need to cause or influence this removal to exploit the flaw. If successfully triggered, an attacker could force a kernel crash or denial of service. The impact is severe, but the low exploitation probability suggests a moderate overall risk. Prompt patching is recommended.

Generated by OpenCVE AI on June 26, 2026 at 05:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that contains the Emac driver patch, which replaces devm_register_netdev() with register_netdev() and calls unregister_netdev() before hardware teardown.
  • If an immediate kernel update is not available, enforce policies that prevent removal or disabling of Emac devices until the patch is applied, thereby eliminating the use‑after‑free window.
  • Maintain the kernel at the latest patched release and monitor vendor advisories for additional updates or related advisories.

Generated by OpenCVE AI on June 26, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 26 Jun 2026 00:15:00 +0000


Thu, 25 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: ibm: emac: Fix use-after-free during device removal The driver was using devm_register_netdev() which causes unregister_netdev() to be deferred until the devres cleanup phase, which runs after emac_remove() returns. This creates a use-after-free window where: 1. emac_remove() is called, which tears down hardware (cancels work, detaches modules, unregisters from MAL) 2. emac_remove() returns 3. devres cleanup runs and finally calls unregister_netdev() During step 3, the network stack might still process packets, triggering emac_irq(), emac_poll(), or other handlers that access now-freed hardware resources (dev->emacp, dev->mal, etc.). Fix this by replacing devm_register_netdev() with manual register_netdev() and calling unregister_netdev() at the beginning of emac_remove(), before any hardware teardown. This ensures the network device is fully stopped and unregistered before hardware resources are released. The change is safe because: - dev->ndev is assigned very early in probe (before any error paths that could bypass emac_remove) - platform_set_drvdata() is only called after successful registration, so emac_remove() only runs for fully registered devices - unregister_netdev() is idempotent and safe to call on any registered device
Title net: ibm: emac: Fix use-after-free during device removal
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:31.852Z

Reserved: 2026-06-09T07:44:35.393Z

Link: CVE-2026-53234

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53234 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T05:30:17Z

Weaknesses
  • CWE-364

    Signal Handler Race Condition