Description
In the Linux kernel, the following vulnerability has been resolved:

net: airoha: Fix use-after-free in metadata dst teardown

airoha_metadata_dst_free() runs metadata_dst_free() which frees the
metadata_dst with kfree() immediately, bypassing the RCU grace period.
In the RX path, skb_dst_set_noref() sets a non-refcounted pointer from
the skb to the metadata_dst. This function requires RCU read-side
protection and the dst must remain valid until all RCU readers complete.
Since metadata_dst_free() calls kfree() directly, an use-after-free can
occur if any skb still holds a noref pointer to the dst when the driver
tears it down.
Replace metadata_dst_free() with dst_release() which properly goes
through the refcount path: when the refcount drops to zero, it schedules
the actual free via call_rcu_hurry(), ensuring all RCU readers have
completed before the memory is freed.
Published: 2026-06-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when the airoha driver frees a metadata destination object directly with kfree(), bypassing the RCU grace period. A non‑refcounted pointer from a network socket buffer to this object must stay valid until all RCU readers finish. If the driver unwires the object while a socket is still referencing it, the memory can be reused before the reference is cleared, resulting in a use‑after‑free condition. This can lead to arbitrary code execution, system crash, or denial of service.

Affected Systems

The flaw exists in the Linux kernel’s airoha network driver. Any Linux distribution shipping a kernel version that includes the airoha module release range is not specified in the data, but the issue was addressed in the kernel’s airoha driver code as shown in the referenced commits.

Risk and Exploitability

The behavior requires that the attacker can send crafted packets to the affected system so the driver tears down the metadata destination while the packet is still being processed. Because the flaw is a classic use‑after‑free, it is a high severity memory corruption vulnerability; however, EPSS data is not available and it is not listed in CISA KEV, so there is no known active exploitation yet. The likelihood of exploitation depends on an attacker’s ability to target the vulnerable driver and to maintain references to the freed object long enough for RCU read‑side protection to mis‑apply.

Generated by OpenCVE AI on June 25, 2026 at 12:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the airoha driver patch from the referenced commits
  • If an immediate kernel upgrade is not possible, unload or blacklist the airoha driver module using modprobe blacklist or appropriate kernel boot parameters to prevent loading the vulnerable code
  • Reboot the system after applying the patch or disabling the module so the changes take effect

Generated by OpenCVE AI on June 25, 2026 at 12:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 13:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: airoha: Fix use-after-free in metadata dst teardown airoha_metadata_dst_free() runs metadata_dst_free() which frees the metadata_dst with kfree() immediately, bypassing the RCU grace period. In the RX path, skb_dst_set_noref() sets a non-refcounted pointer from the skb to the metadata_dst. This function requires RCU read-side protection and the dst must remain valid until all RCU readers complete. Since metadata_dst_free() calls kfree() directly, an use-after-free can occur if any skb still holds a noref pointer to the dst when the driver tears it down. Replace metadata_dst_free() with dst_release() which properly goes through the refcount path: when the refcount drops to zero, it schedules the actual free via call_rcu_hurry(), ensuring all RCU readers have completed before the memory is freed.
Title net: airoha: Fix use-after-free in metadata dst teardown
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:41.307Z

Reserved: 2026-06-09T07:44:35.394Z

Link: CVE-2026-53248

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T12:45:15Z

Weaknesses