Skip to main content

Linux Kernel CVE-2026-53234

| EUVDEUVD-2026-39325 HIGH
Use After Free (CWE-416)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-86vm-vp8g-7929
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.4 MEDIUM

Local UAF reachable only by triggering privileged device unbind (PR:H) and winning a teardown race (AC:H); kernel memory corruption yields full C/I/A impact.

3.1 AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jul 08, 2026 - 19:11 vuln.today
CVSS changed
Jul 08, 2026 - 19:07 NVD
7.8 (HIGH)
CVE Published
Jun 25, 2026 - 09:16 nvd
HIGH 7.8
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net: ibm: emac: Fix use-after-free during device removal

The driver was using devm_register_netdev() which causes unregister_netdev() to be deferred until the devres cleanup phase, which runs after emac_remove() returns. This creates a use-after-free window where:

  1. emac_remove() is called, which tears down hardware (cancels work, detaches

modules, unregisters from MAL)

  1. emac_remove() returns
  2. devres cleanup runs and finally calls unregister_netdev()

During step 3, the network stack might still process packets, triggering emac_irq(), emac_poll(), or other handlers that access now-freed hardware resources (dev->emacp, dev->mal, etc.).

Fix this by replacing devm_register_netdev() with manual register_netdev() and calling unregister_netdev() at the beginning of emac_remove(), before any hardware teardown. This ensures the network device is fully stopped and unregistered before hardware resources are released.

The change is safe because:

  • dev->ndev is assigned very early in probe (before any error paths that

could bypass emac_remove)

  • platform_set_drvdata() is only called after successful registration, so

emac_remove() only runs for fully registered devices

  • unregister_netdev() is idempotent and safe to call on any registered device

AnalysisAI

Use-after-free in the Linux kernel's IBM EMAC Ethernet driver (drivers/net/ethernet/ibm/emac) lets in-flight packet processing touch hardware resources that have already been freed during device removal, because devm_register_netdev() deferred unregister_netdev() until after emac_remove() tore down the hardware. A local attacker who can trigger driver unbind/hot-removal while the interface handles traffic can corrupt kernel memory, potentially escalating to code execution or crashing the system. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local privileged access
Delivery
Trigger EMAC driver unbind/removal
Exploit
emac_remove frees hardware resources
Execution
Inbound packets invoke emac_irq/emac_poll
Persist
Access freed dev->emacp/dev->mal
Impact
Corrupt kernel memory (crash or escalate)

Vulnerability AssessmentAI

Exploitation Exploitation requires local access to a system running the IBM EMAC Ethernet driver (IBM/AMCC PowerPC 4xx-class hardware) and the ability to trigger driver unbind or device removal - an operation gated behind privileged (root) access to the driver's sysfs unbind interface. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mostly consistent and point to a genuine-but-low-priority local memory-corruption bug. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker with administrative access to a PowerPC system running the IBM EMAC driver initiates a driver unbind or device hot-removal while the EMAC interface is actively processing network traffic. Incoming packets during the narrow post-emac_remove() window drive emac_irq()/emac_poll() to dereference freed structures (dev->emacp, dev->mal), corrupting kernel memory to crash the host or, with careful heap grooming, attempt privilege escalation. …
Remediation Vendor-released patch: upgrade to Linux 6.12.94, 6.18.36, 7.0.13, or 7.1 (or later on each branch), which move unregister_netdev() to the start of emac_remove() before hardware teardown. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and inventory all IBM PowerPC Linux systems; confirm kernel version and EMAC driver status (grep 'emac' /boot/config-* or check 'lsmod | grep emac'). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53234 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy