Skip to main content

Linux Kernel CVE-2026-52971

| EUVDEUVD-2026-38839 HIGH
Use After Free (CWE-416)
2026-06-24 Linux GHSA-pffq-9wr4-6hjx
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
4.7 MEDIUM

Local low-priv access (AV:L/PR:L); winning a narrow destroy-vs-read race raises AC:H; realistic impact is a kernel crash (A:H) rather than confirmed C/I compromise.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:38 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:28 cve.org
HIGH 7.8
CVE Published
Jun 24, 2026 - 16:28 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: ena: PHC: Fix potential use-after-free in get_timestamp

Move the phc->active check and resp pointer assignment to after acquiring the spinlock. Previously, phc->active was checked without holding the lock, and resp was cached from ena_dev->phc.virt_addr before the lock was acquired.

If ena_com_phc_destroy() runs between the lockless active check and the lock acquisition, it sets active=false, releases the lock, frees the DMA memory, and sets virt_addr=NULL. The get_timestamp path would then read a NULL virt_addr and dereference it.

With both the active check and the pointer read under the lock, destroy cannot free the memory while get_timestamp is using it.

AnalysisAI

Use-after-free in the Linux kernel's Amazon ENA (Elastic Network Adapter) PTP Hardware Clock (PHC) get_timestamp path lets a local low-privileged user trigger a NULL/dangling pointer dereference via a race between timestamp reads and clock teardown. The driver checked phc->active and cached the resp pointer from ena_dev->phc.virt_addr before taking the spinlock, so a concurrent ena_com_phc_destroy() could free the DMA memory and NULL virt_addr mid-operation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local low-privileged shell on ENA host
Delivery
Repeatedly invoke PHC get_timestamp ioctl
Exploit
Race concurrent ena_com_phc_destroy() teardown
Execution
Read freed/NULL virt_addr pointer
Persist
Dereference dangling DMA buffer
Impact
Kernel crash or memory corruption

Vulnerability AssessmentAI

Exploitation Requires local access with at least low privileges (CVSS PR:L) on a Linux host where the Amazon ENA driver is loaded AND the PTP Hardware Clock (PHC) feature is active - primarily AWS EC2 Nitro instances using ENA hardware timestamping. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely consistent and point to a genuine but low-urgency local issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local, low-privileged user on an AWS-hosted Linux instance running the ENA driver with PHC active repeatedly invokes the hardware-timestamp read path while the PHC clock is concurrently torn down (e.g., during a device reset or reconfiguration), winning the race so get_timestamp dereferences the freed/NULL virt_addr. The most likely outcome is a kernel crash (denial of service); reliable info-leak or privilege escalation would require additional, non-trivial heap-grooming. …
Remediation Upstream fix available; update to a kernel containing the fix - per EUVD the patched stable versions are 6.18.33, 7.0.10, and 7.1 (mainline fix commit e42c755582f0960e684298762f0ab927b3778376; stable backports 95e8ae9af2a61b4e72f5c585bf4c7d8aaf2a2c98 and ca9ed40f28949353911dcb524ff8fff2f3409c97 at https://git.kernel.org/stable/c/). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Linux systems using Amazon ENA drivers (typically AWS EC2 instances) and verify current kernel versions against known vulnerable releases. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52971 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy