Skip to main content

Linux Kernel CVE-2026-53247

| EUVDEUVD-2026-39198 CRITICAL
Use After Free (CWE-416)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-mm4j-fwqr-3cf4
9.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
4.7 MEDIUM

Teardown is admin-triggered (PR:H) and the bug is a hard-to-win race on local MediaTek hardware (AV:L/AC:H); impact is mainly a kernel crash (A:H) with only incidental memory corruption (I:L) and no info disclosure (C:N).

3.1 AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H
4.0 AV:L/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:43 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
9.8 (CRITICAL)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown

mtk_free_dev() calls metadata_dst_free() which frees the metadata_dst with kfree() immediately, bypassing the RCU grace period. In the RX path, skb_dst_set_noref() sets a non-refcounted pointer from the skb to the metadata_dst. This function requires RCU read-side protection and the dst must remain valid until all RCU readers complete. Since metadata_dst_free() calls kfree() directly, a use-after-free can occur if any skb still holds a noref pointer to the dst when the driver tears it down. Replace metadata_dst_free() with dst_release() which properly goes through the refcount path: when the refcount drops to zero, it schedules the actual free via call_rcu_hurry(), ensuring all RCU readers have completed before the memory is freed.

AnalysisAI

Memory corruption (use-after-free) in the Linux kernel's MediaTek mtk_eth_soc Ethernet driver allows the metadata destination object to be freed via kfree() during driver teardown while the RX path may still hold a non-refcounted (noref) pointer to it from a live skb. Affects systems running the mtk_eth_soc driver (MediaTek SoC networking, common in routers/embedded devices) across multiple kernel branches; the fix routes the free through dst_release() so the RCU grace period is honored. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local privileged access to MediaTek device
Delivery
Drive sustained RX traffic populating metadata dst
Exploit
Trigger interface/driver teardown during RX
Execution
Race frees dst before RCU readers finish
Persist
Stale skb dereferences freed memory
Impact
Kernel crash or memory corruption

Vulnerability AssessmentAI

Exploitation Exploitation requires the affected mtk_eth_soc driver to be loaded and active on MediaTek Ethernet SoC hardware, with live RX traffic that causes skbs to carry noref metadata_dst pointers (i.e., hardware paths using metadata/lightweight-tunnel dst). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals conflict sharply and should override the headline CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a MediaTek SoC device actively receiving traffic that populates metadata dst pointers, an administrator-level action (driver unload, device removal, or interface teardown) frees the metadata_dst while an in-flight RX skb still holds a noref pointer, causing a use-after-free read of reclaimed kernel memory. The most likely outcome is a kernel panic/DoS; turning the race into controlled corruption would require precise timing and heap grooming and is unproven. …
Remediation Vendor-released patch: update to a fixed stable kernel - 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 (or later on each branch), or apply the corresponding stable commits (e.g., 2d86aeb46d5f69c704065a8c69822582787272a1, 459c6f35c58cf0fd5247e55d73ddaa29571d9b7e, 72775977e89c25c99ee84d2c5baa3f86a8ba5cb4, 80df409e1a483676826a6c66e693dba6ac507751, e634408d2b0cd939cfe019398a21fb47b7a8ffe3 at https://git.kernel.org/stable/c/). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all routers, switches, and network appliances running MediaTek mtk_eth_soc driver and document current kernel versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53247 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy