Description
In the Linux kernel, the following vulnerability has been resolved:

net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown

mtk_free_dev() calls metadata_dst_free() which frees the metadata_dst
with kfree() immediately, bypassing the RCU grace period.
In the RX path, skb_dst_set_noref() sets a non-refcounted pointer from
the skb to the metadata_dst. This function requires RCU read-side
protection and the dst must remain valid until all RCU readers complete.
Since metadata_dst_free() calls kfree() directly, a use-after-free can
occur if any skb still holds a noref pointer to the dst when the driver
tears it down.
Replace metadata_dst_free() with dst_release() which properly goes
through the refcount path: when the refcount drops to zero, it schedules
the actual free via call_rcu_hurry(), ensuring all RCU readers have
completed before the memory is freed.
Published: 2026-06-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the MediaTek Ethernet SoC driver in the Linux kernel, where a metadata destination object is freed directly with kfree() instead of through the RCU‑safe reference counting path. This allows an attacker to send crafted packets that trigger the driver to tear down the metadata while network buffers still hold non‑refcounted pointers to it, causing a use‑after‑free. If exploited, an attacker could corrupt kernel memory or cause a crash, potentially escalating privileges or disrupting service. The weakness is a classic CWE‑416 use‑after‑free.

Affected Systems

Vendors: Linux; Product: Linux Kernel. The flaw affects any kernel build that includes the MediaTek mtk_eth_soc driver prior to the patch that replaces metadata_dst_free() with dst_release(). No specific version numbers are provided, so all versions containing the legacy implementation are susceptible.

Risk and Exploitability

The exact CVSS score is not disclosed, and the EPSS metric is unavailable, so an objective quantitative risk assessment cannot be provided. However, the flaw is a low‑level kernel bug that can be triggered by network traffic, implying a remote attack surface. No existence is reported in the CISA KEV catalog, but frequently exploited. Inferred attack vector is remote network traffic sent to the affected Ethernet interface; no local privileges are explicitly required beyond NIC access.

Generated by OpenCVE AI on June 25, 2026 at 11:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that includes the mtk_eth_soc driver fix to the RCU reference‑counted freeing mechanism.
  • If an immediate kernel upgrade is not possible, restart the system after applying the patch commits to ensure the changes are in effect.
  • Consider disabling or reconfiguring the affected Ethernet interface (mtk_eth_soc) so that it does not process traffic until the patch is applied, or implement firewall rules to block traffic from untrusted sources until remediation is complete.

Generated by OpenCVE AI on June 25, 2026 at 11:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown mtk_free_dev() calls metadata_dst_free() which frees the metadata_dst with kfree() immediately, bypassing the RCU grace period. In the RX path, skb_dst_set_noref() sets a non-refcounted pointer from the skb to the metadata_dst. This function requires RCU read-side protection and the dst must remain valid until all RCU readers complete. Since metadata_dst_free() calls kfree() directly, a use-after-free can occur if any skb still holds a noref pointer to the dst when the driver tears it down. Replace metadata_dst_free() with dst_release() which properly goes through the refcount path: when the refcount drops to zero, it schedules the actual free via call_rcu_hurry(), ensuring all RCU readers have completed before the memory is freed.
Title net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:40.654Z

Reserved: 2026-06-09T07:44:35.394Z

Link: CVE-2026-53247

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T12:00:13Z

Weaknesses