Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local low-priv access (AV:L/PR:L); winning a narrow destroy-vs-read race raises AC:H; realistic impact is a kernel crash (A:H) rather than confirmed C/I compromise.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
net: ena: PHC: Fix potential use-after-free in get_timestamp
Move the phc->active check and resp pointer assignment to after acquiring the spinlock. Previously, phc->active was checked without holding the lock, and resp was cached from ena_dev->phc.virt_addr before the lock was acquired.
If ena_com_phc_destroy() runs between the lockless active check and the lock acquisition, it sets active=false, releases the lock, frees the DMA memory, and sets virt_addr=NULL. The get_timestamp path would then read a NULL virt_addr and dereference it.
With both the active check and the pointer read under the lock, destroy cannot free the memory while get_timestamp is using it.
AnalysisAI
Use-after-free in the Linux kernel's Amazon ENA (Elastic Network Adapter) PTP Hardware Clock (PHC) get_timestamp path lets a local low-privileged user trigger a NULL/dangling pointer dereference via a race between timestamp reads and clock teardown. The driver checked phc->active and cached the resp pointer from ena_dev->phc.virt_addr before taking the spinlock, so a concurrent ena_com_phc_destroy() could free the DMA memory and NULL virt_addr mid-operation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires local access with at least low privileges (CVSS PR:L) on a Linux host where the Amazon ENA driver is loaded AND the PTP Hardware Clock (PHC) feature is active - primarily AWS EC2 Nitro instances using ENA hardware timestamping. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are largely consistent and point to a genuine but low-urgency local issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local, low-privileged user on an AWS-hosted Linux instance running the ENA driver with PHC active repeatedly invokes the hardware-timestamp read path while the PHC clock is concurrently torn down (e.g., during a device reset or reconfiguration), winning the race so get_timestamp dereferences the freed/NULL virt_addr. The most likely outcome is a kernel crash (denial of service); reliable info-leak or privilege escalation would require additional, non-trivial heap-grooming. … |
| Remediation | Upstream fix available; update to a kernel containing the fix - per EUVD the patched stable versions are 6.18.33, 7.0.10, and 7.1 (mainline fix commit e42c755582f0960e684298762f0ab927b3778376; stable backports 95e8ae9af2a61b4e72f5c585bf4c7d8aaf2a2c98 and ca9ed40f28949353911dcb524ff8fff2f3409c97 at https://git.kernel.org/stable/c/). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Linux systems using Amazon ENA drivers (typically AWS EC2 instances) and verify current kernel versions against known vulnerable releases. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-416 – Use After Free
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38839
GHSA-pffq-9wr4-6hjx