CVE-2026-53157 in Linux
Summary
by MITRE • 06/25/2026
In the Linux kernel, the following vulnerability has been resolved:
net: phonet: free phonet_device after RCU grace period
phonet_device_destroy() removes a phonet_device from the per-net device list with list_del_rcu(), but frees it immediately. RCU readers walking the same list can still hold a pointer to the object after it has been removed, leading to a slab-use-after-free.
Use kfree_rcu(), matching the lifetime rule already used by phonet_address_del() for the same object type.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/26/2026
The vulnerability in question resides within the Linux kernel's phonet networking subsystem where a use-after-free condition occurs due to improper memory management during device destruction operations. This issue affects the phonet_device data structure which is part of the kernel's networking infrastructure designed for phonet protocol communication. The flaw manifests when a phonet device is being destroyed and removed from the per-network device list through the list_del_rcu() function.
The technical implementation error stems from the phonet_device_destroy() function which performs two distinct operations in sequence without proper synchronization. First, it removes the phonet_device from the device list using list_del_rcu() which is appropriate for RCU (Read-Copy-Update) protected lists, but then immediately calls free() to deallocate the memory. This immediate deallocation creates a race condition where RCU readers who were traversing the list at the moment of deletion may still hold references to the freed memory location, resulting in memory corruption and potential system instability.
The operational impact of this vulnerability extends beyond simple memory corruption as it represents a classic slab-use-after-free scenario that can be exploited by malicious actors to achieve arbitrary code execution. According to CWE-416, this vulnerability maps directly to use-after-free conditions where freed memory is accessed, while the underlying RCU mechanism failure aligns with ATT&CK technique T1059 for command and scripting interpreter usage in exploitation scenarios. The vulnerability affects systems running Linux kernels that implement phonet networking capabilities, potentially compromising network integrity and system stability.
The resolution strategy involves implementing proper RCU memory management using kfree_rcu() instead of immediate free operations. This approach ensures that the memory deallocation occurs only after the RCU grace period has elapsed, allowing all active readers to complete their operations before the memory is actually freed. The fix mirrors the existing pattern already implemented in phonet_address_del() for the same object type, maintaining consistency in kernel memory management practices and following established kernel coding standards for RCU operations. This solution prevents the race condition by ensuring proper synchronization between the list removal operation and the actual memory deallocation, thereby eliminating the potential for use-after-free exploitation while preserving the intended functionality of the phonet networking subsystem.