Description
In the Linux kernel, the following vulnerability has been resolved:

net: ibm: emac: Fix use-after-free during device removal

The driver was using devm_register_netdev() which causes unregister_netdev()
to be deferred until the devres cleanup phase, which runs after emac_remove()
returns. This creates a use-after-free window where:

1. emac_remove() is called, which tears down hardware (cancels work, detaches
modules, unregisters from MAL)
2. emac_remove() returns
3. devres cleanup runs and finally calls unregister_netdev()

During step 3, the network stack might still process packets, triggering
emac_irq(), emac_poll(), or other handlers that access now-freed hardware
resources (dev->emacp, dev->mal, etc.).

Fix this by replacing devm_register_netdev() with manual register_netdev()
and calling unregister_netdev() at the beginning of emac_remove(), before
any hardware teardown. This ensures the network device is fully stopped and
unregistered before hardware resources are released.

The change is safe because:
- dev->ndev is assigned very early in probe (before any error paths that
could bypass emac_remove)
- platform_set_drvdata() is only called after successful registration, so
emac_remove() only runs for fully registered devices
- unregister_netdev() is idempotent and safe to call on any registered device
Published: 2026-06-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The IBM Emac Ethernet driver in the Linux kernel creates a use‑after‑free condition when a device is removed. During removal the driver defers the unregistration of the network device until the devres cleanup phase, which occurs after the hardware teardown has already happened. This gap can allow the kernel’s networking stack to process packets or invoke interrupt handlers that reference hardware resources that have been freed, leading to memory corruption or a system crash. The flaw is a classic use‑after‑free vulnerability and can be exploited to destabilize the system.

Affected Systems

The vulnerability affects the Emac driver that is part of the Linux kernel. No specific kernel version numbers are listed, so any kernel containing the old Emac implementation is potentially affected.

Risk and Exploitability

The vulnerability lacks a CVSS score and its EPSS score is not available, and it is not listed in CISA been reported, because the flaw can cause a kernel crash, the theoretical impact is severe. The likely attack vector is local; an attacker would need to trigger a device removal or otherwise manipulate the driver interface, which generally requires privileged access. The absence of exploitation data suggests that the risk is moderate but the potential for denial of service warrants timely remediation.

Generated by OpenCVE AI on June 25, 2026 at 11:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that includes the Emac driver patch replacing devm_register_netdev with register_netdev and calling unregister_netdev at the start of emac_remove()
  • If a kernel update cannot be applied, avoid removing or disabling Emac devices until the system is restarted or the patch is applied
  • Keep Linux kernel at the latest patched release and monitor vendor advisories for any further updates

Generated by OpenCVE AI on June 25, 2026 at 11:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: ibm: emac: Fix use-after-free during device removal The driver was using devm_register_netdev() which causes unregister_netdev() to be deferred until the devres cleanup phase, which runs after emac_remove() returns. This creates a use-after-free window where: 1. emac_remove() is called, which tears down hardware (cancels work, detaches modules, unregisters from MAL) 2. emac_remove() returns 3. devres cleanup runs and finally calls unregister_netdev() During step 3, the network stack might still process packets, triggering emac_irq(), emac_poll(), or other handlers that access now-freed hardware resources (dev->emacp, dev->mal, etc.). Fix this by replacing devm_register_netdev() with manual register_netdev() and calling unregister_netdev() at the beginning of emac_remove(), before any hardware teardown. This ensures the network device is fully stopped and unregistered before hardware resources are released. The change is safe because: - dev->ndev is assigned very early in probe (before any error paths that could bypass emac_remove) - platform_set_drvdata() is only called after successful registration, so emac_remove() only runs for fully registered devices - unregister_netdev() is idempotent and safe to call on any registered device
Title net: ibm: emac: Fix use-after-free during device removal
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:31.852Z

Reserved: 2026-06-09T07:44:35.393Z

Link: CVE-2026-53234

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T12:00:13Z

Weaknesses