CVE-2026-53247 in Linux
Summary
by MITRE • 06/25/2026
In the Linux kernel, the following vulnerability has been resolved:
net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown
mtk_free_dev() calls metadata_dst_free() which frees the metadata_dst with kfree() immediately, bypassing the RCU grace period. In the RX path, skb_dst_set_noref() sets a non-refcounted pointer from the skb to the metadata_dst. This function requires RCU read-side protection and the dst must remain valid until all RCU readers complete. Since metadata_dst_free() calls kfree() directly, a use-after-free can occur if any skb still holds a noref pointer to the dst when the driver tears it down. Replace metadata_dst_free() with dst_release() which properly goes through the refcount path: when the refcount drops to zero, it schedules the actual free via call_rcu_hurry(), ensuring all RCU readers have completed before the memory is freed.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/25/2026
This vulnerability exists in the MediaTek ethernet driver within the Linux kernel and represents a critical use-after-free condition that can lead to system instability or potential privilege escalation. The issue stems from improper memory management during the teardown of metadata destination structures, specifically when the mtk_free_dev() function invokes metadata_dst_free() directly without adhering to proper RCU (Read-Copy-Update) semantics. The flaw occurs because metadata_dst_free() immediately calls kfree() to release memory, bypassing the required RCU grace period that ensures all active readers have completed their operations before memory deallocation.
The technical execution of this vulnerability involves a race condition between the network receive path and driver cleanup operations. During normal operation, the skb_dst_set_noref() function establishes a non-reference-counted pointer from socket buffer structures to metadata destination objects, which requires RCU read-side protection to maintain validity until all readers complete their work. When mtk_free_dev() executes, it directly frees these metadata_dst structures without proper reference counting, creating a scenario where active network packets may still hold pointers to memory that has been freed. This direct kfree() invocation violates fundamental kernel memory management principles and creates a window where subsequent access to the freed memory results in undefined behavior.
The operational impact of this vulnerability extends beyond simple system crashes, potentially enabling privilege escalation or denial-of-service conditions within network processing subsystems. Network packets that are actively processed or queued may reference freed metadata_dst structures, leading to memory corruption that could be exploited by malicious actors. The vulnerability affects the MediaTek ethernet driver specifically but demonstrates broader issues in kernel networking stack memory management where proper synchronization mechanisms are not maintained during resource cleanup operations. This issue directly relates to CWE-416 which describes use-after-free vulnerabilities and aligns with ATT&CK technique T1068 which covers exploiting privileges through system weaknesses.
The mitigation strategy involves replacing the problematic metadata_dst_free() function call with dst_release() which properly implements reference counting semantics and ensures appropriate RCU synchronization. The dst_release() function correctly handles the refcounting process where memory deallocation occurs only after all RCU readers have completed their operations, using call_rcu_hurry() to schedule actual memory cleanup at an appropriate time. This solution addresses the root cause by ensuring proper synchronization between network packet processing and resource teardown phases, preventing the race condition that enables the use-after-free scenario. The fix aligns with established kernel development practices for managing reference-counted objects in concurrent environments and maintains the integrity of the networking subsystem while preserving functionality.
This vulnerability exemplifies common pitfalls in kernel development where memory management operations fail to account for concurrent access patterns and proper synchronization primitives. The solution demonstrates the importance of following established kernel memory management patterns, particularly when dealing with RCU-protected data structures that may be accessed from multiple execution contexts simultaneously. The fix ensures that all network processing paths properly respect reference counting semantics and RCU ordering requirements, preventing potential exploitation while maintaining system stability and performance characteristics.