Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Triggered by a privileged, timing-dependent teardown race local to the host, so AV:L/AC:H/PR:L; a kernel UAF can yield disclosure, corruption, and crash, so C/I/A:H.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
net: airoha: Fix use-after-free in metadata dst teardown
airoha_metadata_dst_free() runs metadata_dst_free() which frees the metadata_dst with kfree() immediately, bypassing the RCU grace period. In the RX path, skb_dst_set_noref() sets a non-refcounted pointer from the skb to the metadata_dst. This function requires RCU read-side protection and the dst must remain valid until all RCU readers complete. Since metadata_dst_free() calls kfree() directly, an use-after-free can occur if any skb still holds a noref pointer to the dst when the driver tears it down. Replace metadata_dst_free() with dst_release() which properly goes through the refcount path: when the refcount drops to zero, it schedules the actual free via call_rcu_hurry(), ensuring all RCU readers have completed before the memory is freed.
AnalysisAI
Use-after-free in the Linux kernel's Airoha (airoha_eth) network driver allows memory corruption when metadata dst objects are torn down while still referenced by in-flight receive skbs. The airoha_metadata_dst_free() routine called metadata_dst_free()/kfree() directly, bypassing the RCU grace period required by the noref dst pointers set via skb_dst_set_noref() in the RX path, so RCU readers could dereference freed memory. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the airoha_eth driver to be in use (Airoha/MediaTek EN7581-class Ethernet hardware) and active receive traffic so that skbs hold noref pointers to the metadata_dst, while a teardown of that dst occurs (driver unload or interface reconfiguration). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals conflict and warrant scrutiny. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On an Airoha EN7581-based device under active RX traffic, a privileged local operation that tears down the metadata dst (driver unload or interface reconfiguration) races against skbs still holding noref pointers to the just-freed dst, causing the kernel to dereference freed memory. The most likely outcome is a kernel crash (denial of service), with potential for memory corruption that a skilled attacker could attempt to escalate. … |
| Remediation | Apply the vendor kernel update: upgrade to a stable Linux release containing the fix (patched branches indicated around 6.18.36, 7.0.13, and 7.1), which replaces the synchronous metadata_dst_free()/kfree() with the RCU-safe dst_release() path - see the stable commits 4b5a574e033e66d2131eff1c18feef8d8643c67e, b38cae85d1c45ff189d7ecb6ac36f41cdc3d84d0, and 6f829e2c17a53a35321268339cd252aff6d6d723 at git.kernel.org/stable and the advisory at https://nvd.nist.gov/vuln/detail/CVE-2026-53248. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Linux systems using Airoha network drivers by running 'lsmod | grep airoha_eth'; document kernel versions of affected machines. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-416 – Use After Free
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39199
GHSA-83pq-fmf8-563q