Skip to main content

Linux Kernel CVE-2026-52982

| EUVDEUVD-2026-38850 CRITICAL
Use After Free (CWE-416)
2026-06-24 Linux GHSA-pjm2-h6fg-mfw7
9.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
5.3 MEDIUM

Needs local RTL8150 hardware and a tight SMP timing race (AV:L, AC:H, PR:L); main impact is potential crash (A:H) with only marginal freed-memory read (C:L), no integrity impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:41 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
9.8 (CRITICAL)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:28 cve.org
CRITICAL 9.8
CVE Published
Jun 24, 2026 - 16:28 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()

syzbot reported a KASAN slab-use-after-free read in rtl8150_start_xmit() when accessing skb->len for tx statistics after usb_submit_urb() has been called:

BUG: KASAN: slab-use-after-free in rtl8150_start_xmit+0x71f/0x760 drivers/net/usb/rtl8150.c:712 Read of size 4 at addr ffff88810eb7a930 by task kworker/0:4/5226

The URB completion handler write_bulk_callback() frees the skb via dev_kfree_skb_irq(dev->tx_skb). The URB may complete on another CPU in softirq context before usb_submit_urb() returns in the submitter, so by the time the submitter reads skb->len the skb has already been queued to the per-CPU completion_queue and freed by net_tx_action():

CPU A (xmit) CPU B (USB completion softirq) ------------ ------------------------------ dev->tx_skb = skb; usb_submit_urb() --+

|-------> write_bulk_callback() | dev_kfree_skb_irq(dev->tx_skb) | net_tx_action() | napi_skb_cache_put() <-- free netdev->stats.tx_bytes | += skb->len; <-- UAF read

Fix it by caching skb->len before submitting the URB and using the cached value when updating the tx_bytes counter.

The pre-existing tx_bytes semantics are preserved: the counter tracks the original frame length (skb->len), not the ETH_ZLEN/USB-alignment padded "count" value that is handed to the device. Changing that would be a user-visible accounting change and is out of scope for this UAF fix.

AnalysisAI

Use-after-free in the Linux kernel rtl8150 USB-to-Ethernet driver (drivers/net/usb/rtl8150.c) lets the transmit path read freed socket-buffer memory: rtl8150_start_xmit() reads skb->len for TX byte accounting after usb_submit_urb(), but the URB completion handler write_bulk_callback() can free the skb on another CPU first, producing a slab-use-after-free read flagged by KASAN/syzbot. Affected systems are those using an RTL8150-based USB Ethernet adapter; the practical impact is a stale/garbage stat read or a potential crash from freed-memory access rather than reliable info disclosure. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attach/possess RTL8150 USB Ethernet adapter
Delivery
Generate rapid outbound TX traffic
Exploit
Race usb_submit_urb vs write_bulk_callback
Execution
SKB freed before skb->len read
Impact
UAF read corrupts stats / destabilizes kernel

Vulnerability AssessmentAI

Exploitation Requires an RTL8150-based USB-to-Ethernet adapter to be present and bound (driver rtl8150 loaded) on the target, plus active transmission on that interface to drive the TX path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N (9.8 Critical) is the inflated auto-assigned score typical of bulk Linux kernel CVEs and does not match the actual mechanics: this is a TX-path race that requires a physically present RTL8150 USB Ethernet adapter and concurrent transmit/completion on an SMP host, which is far from a remote, no-privilege, network-reachable RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker (or attacker-controlled malicious USB device) on a host with an RTL8150 USB Ethernet adapter generates rapid outbound traffic to force concurrent rtl8150_start_xmit() submission and write_bulk_callback() completion across CPUs, winning the race so the SKB is freed before skb->len is read. The resulting use-after-free read corrupts/leaks a stats value and, depending on allocator state, can destabilize the kernel; no public exploit code exists and reliable exploitation is impeded by the narrow timing window.
Remediation Vendor-released patch: update to a fixed stable kernel - 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1 (also 5.10.258, 5.15.209 for older trees) - or apply the corresponding upstream commit (e.g. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify systems running RTL8150 USB Ethernet adapters in your infrastructure (check device inventory or vendor documentation). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52982 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy