Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local UAF reachable only by triggering privileged device unbind (PR:H) and winning a teardown race (AC:H); kernel memory corruption yields full C/I/A impact.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
net: ibm: emac: Fix use-after-free during device removal
The driver was using devm_register_netdev() which causes unregister_netdev() to be deferred until the devres cleanup phase, which runs after emac_remove() returns. This creates a use-after-free window where:
- emac_remove() is called, which tears down hardware (cancels work, detaches
modules, unregisters from MAL)
- emac_remove() returns
- devres cleanup runs and finally calls unregister_netdev()
During step 3, the network stack might still process packets, triggering emac_irq(), emac_poll(), or other handlers that access now-freed hardware resources (dev->emacp, dev->mal, etc.).
Fix this by replacing devm_register_netdev() with manual register_netdev() and calling unregister_netdev() at the beginning of emac_remove(), before any hardware teardown. This ensures the network device is fully stopped and unregistered before hardware resources are released.
The change is safe because:
- dev->ndev is assigned very early in probe (before any error paths that
could bypass emac_remove)
- platform_set_drvdata() is only called after successful registration, so
emac_remove() only runs for fully registered devices
- unregister_netdev() is idempotent and safe to call on any registered device
AnalysisAI
Use-after-free in the Linux kernel's IBM EMAC Ethernet driver (drivers/net/ethernet/ibm/emac) lets in-flight packet processing touch hardware resources that have already been freed during device removal, because devm_register_netdev() deferred unregister_netdev() until after emac_remove() tore down the hardware. A local attacker who can trigger driver unbind/hot-removal while the interface handles traffic can corrupt kernel memory, potentially escalating to code execution or crashing the system. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access to a system running the IBM EMAC Ethernet driver (IBM/AMCC PowerPC 4xx-class hardware) and the ability to trigger driver unbind or device removal - an operation gated behind privileged (root) access to the driver's sysfs unbind interface. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mostly consistent and point to a genuine-but-low-priority local memory-corruption bug. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local attacker with administrative access to a PowerPC system running the IBM EMAC driver initiates a driver unbind or device hot-removal while the EMAC interface is actively processing network traffic. Incoming packets during the narrow post-emac_remove() window drive emac_irq()/emac_poll() to dereference freed structures (dev->emacp, dev->mal), corrupting kernel memory to crash the host or, with careful heap grooming, attempt privilege escalation. … |
| Remediation | Vendor-released patch: upgrade to Linux 6.12.94, 6.18.36, 7.0.13, or 7.1 (or later on each branch), which move unregister_netdev() to the start of emac_remove() before hardware teardown. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and inventory all IBM PowerPC Linux systems; confirm kernel version and EMAC driver status (grep 'emac' /boot/config-* or check 'lsmod | grep emac'). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-416 – Use After Free
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39325
GHSA-86vm-vp8g-7929