Skip to main content

Linux Kernel CVE-2026-53212

| EUVDEUVD-2026-39303 HIGH
Use After Free (CWE-416)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-j962-fx34-5263
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local CAP_NET_ADMIN needed (PR:L, AV:L); reliably winning the destroy-versus-dequeue race raises AC:H; kernel-memory UAF supports C/I/A:H.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:34 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_tunnel: fix use-after-free on object destroy

nft_tunnel_obj_destroy() calls metadata_dst_free() which directly kfree()s the metadata_dst, ignoring the dst_entry refcount. Packets that took a reference via dst_hold() in nft_tunnel_obj_eval() and are still queued (e.g. in a netem qdisc) are left with a dangling pointer. When these packets are eventually dequeued, dst_release() operates on freed memory.

Replace metadata_dst_free() with dst_release() so the metadata_dst is freed only after all references are dropped. The dst subsystem already handles metadata_dst cleanup in dst_destroy() when DST_METADATA is set.

AnalysisAI

Local privilege escalation potential in the Linux kernel netfilter nf_tables tunnel module (nft_tunnel) stems from a use-after-free triggered when a tunnel object is destroyed while packets still hold a reference to its metadata_dst. The flawed nft_tunnel_obj_destroy() path calls metadata_dst_free(), which kfree()s the structure while ignoring the dst_entry refcount, so packets queued in a qdisc (e.g. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local CAP_NET_ADMIN (e.g. via namespace)
Delivery
Create nft_tunnel object and route packets
Exploit
Buffer referencing packets in netem qdisc
Execution
Destroy tunnel object to free metadata_dst
Persist
Dequeue packets triggering dst_release UAF
Impact
Corrupt kernel heap for privilege escalation

Vulnerability AssessmentAI

Exploitation Exploitation requires local access on the host and the ability to configure netfilter nf_tables, i.e. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mostly consistent and point to a genuine but not urgent local-kernel issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker holding CAP_NET_ADMIN (for instance a user inside a network namespace or container) creates an nftables tunnel object and arranges traffic so packets take a dst_hold() reference and are buffered in a netem qdisc, then destroys the tunnel object to free the metadata_dst while those references remain. When the queued packets are dequeued, dst_release() operates on freed kernel memory; with heap grooming this use-after-free can be shaped toward kernel memory corruption and privilege escalation, or at minimum a kernel crash (DoS). …
Remediation Upgrade to a Linux kernel that includes the fix replacing metadata_dst_free() with dst_release(): vendor-released patched versions are 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, and mainline 7.1 - apply the build matching your stable branch. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running affected Linux kernel versions with nf_tables tunnel module enabled. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53212 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy