Skip to main content

Linux Kernel CVE-2026-53248

| EUVDEUVD-2026-39199 HIGH
Use After Free (CWE-416)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-83pq-fmf8-563q
8.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Triggered by a privileged, timing-dependent teardown race local to the host, so AV:L/AC:H/PR:L; a kernel UAF can yield disclosure, corruption, and crash, so C/I/A:H.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:43 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
8.8 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: airoha: Fix use-after-free in metadata dst teardown

airoha_metadata_dst_free() runs metadata_dst_free() which frees the metadata_dst with kfree() immediately, bypassing the RCU grace period. In the RX path, skb_dst_set_noref() sets a non-refcounted pointer from the skb to the metadata_dst. This function requires RCU read-side protection and the dst must remain valid until all RCU readers complete. Since metadata_dst_free() calls kfree() directly, an use-after-free can occur if any skb still holds a noref pointer to the dst when the driver tears it down. Replace metadata_dst_free() with dst_release() which properly goes through the refcount path: when the refcount drops to zero, it schedules the actual free via call_rcu_hurry(), ensuring all RCU readers have completed before the memory is freed.

AnalysisAI

Use-after-free in the Linux kernel's Airoha (airoha_eth) network driver allows memory corruption when metadata dst objects are torn down while still referenced by in-flight receive skbs. The airoha_metadata_dst_free() routine called metadata_dst_free()/kfree() directly, bypassing the RCU grace period required by the noref dst pointers set via skb_dst_set_noref() in the RX path, so RCU readers could dereference freed memory. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Local access to Airoha device under RX load
Delivery
Trigger airoha driver teardown/reconfig
Exploit
Race frees metadata_dst via kfree
Execution
In-flight skb dereferences freed dst
Persist
Kernel use-after-free
Impact
Crash or memory corruption

Vulnerability AssessmentAI

Exploitation Exploitation requires the airoha_eth driver to be in use (Airoha/MediaTek EN7581-class Ethernet hardware) and active receive traffic so that skbs hold noref pointers to the metadata_dst, while a teardown of that dst occurs (driver unload or interface reconfiguration). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals conflict and warrant scrutiny. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On an Airoha EN7581-based device under active RX traffic, a privileged local operation that tears down the metadata dst (driver unload or interface reconfiguration) races against skbs still holding noref pointers to the just-freed dst, causing the kernel to dereference freed memory. The most likely outcome is a kernel crash (denial of service), with potential for memory corruption that a skilled attacker could attempt to escalate. …
Remediation Apply the vendor kernel update: upgrade to a stable Linux release containing the fix (patched branches indicated around 6.18.36, 7.0.13, and 7.1), which replaces the synchronous metadata_dst_free()/kfree() with the RCU-safe dst_release() path - see the stable commits 4b5a574e033e66d2131eff1c18feef8d8643c67e, b38cae85d1c45ff189d7ecb6ac36f41cdc3d84d0, and 6f829e2c17a53a35321268339cd252aff6d6d723 at git.kernel.org/stable and the advisory at https://nvd.nist.gov/vuln/detail/CVE-2026-53248. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Linux systems using Airoha network drivers by running 'lsmod | grep airoha_eth'; document kernel versions of affected machines. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53248 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy