Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Teardown is admin-triggered (PR:H) and the bug is a hard-to-win race on local MediaTek hardware (AV:L/AC:H); impact is mainly a kernel crash (A:H) with only incidental memory corruption (I:L) and no info disclosure (C:N).
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown
mtk_free_dev() calls metadata_dst_free() which frees the metadata_dst with kfree() immediately, bypassing the RCU grace period. In the RX path, skb_dst_set_noref() sets a non-refcounted pointer from the skb to the metadata_dst. This function requires RCU read-side protection and the dst must remain valid until all RCU readers complete. Since metadata_dst_free() calls kfree() directly, a use-after-free can occur if any skb still holds a noref pointer to the dst when the driver tears it down. Replace metadata_dst_free() with dst_release() which properly goes through the refcount path: when the refcount drops to zero, it schedules the actual free via call_rcu_hurry(), ensuring all RCU readers have completed before the memory is freed.
AnalysisAI
Memory corruption (use-after-free) in the Linux kernel's MediaTek mtk_eth_soc Ethernet driver allows the metadata destination object to be freed via kfree() during driver teardown while the RX path may still hold a non-refcounted (noref) pointer to it from a live skb. Affects systems running the mtk_eth_soc driver (MediaTek SoC networking, common in routers/embedded devices) across multiple kernel branches; the fix routes the free through dst_release() so the RCU grace period is honored. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the affected mtk_eth_soc driver to be loaded and active on MediaTek Ethernet SoC hardware, with live RX traffic that causes skbs to carry noref metadata_dst pointers (i.e., hardware paths using metadata/lightweight-tunnel dst). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals conflict sharply and should override the headline CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a MediaTek SoC device actively receiving traffic that populates metadata dst pointers, an administrator-level action (driver unload, device removal, or interface teardown) frees the metadata_dst while an in-flight RX skb still holds a noref pointer, causing a use-after-free read of reclaimed kernel memory. The most likely outcome is a kernel panic/DoS; turning the race into controlled corruption would require precise timing and heap grooming and is unproven. … |
| Remediation | Vendor-released patch: update to a fixed stable kernel - 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 (or later on each branch), or apply the corresponding stable commits (e.g., 2d86aeb46d5f69c704065a8c69822582787272a1, 459c6f35c58cf0fd5247e55d73ddaa29571d9b7e, 72775977e89c25c99ee84d2c5baa3f86a8ba5cb4, 80df409e1a483676826a6c66e693dba6ac507751, e634408d2b0cd939cfe019398a21fb47b7a8ffe3 at https://git.kernel.org/stable/c/). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all routers, switches, and network appliances running MediaTek mtk_eth_soc driver and document current kernel versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-416 – Use After Free
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39198
GHSA-mm4j-fwqr-3cf4