CVE-2026-52971
Analyzed Analyzed - Analysis Complete

Use-After-Free in Linux Kernel ENA PHC

Vulnerability report for CVE-2026-52971, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-07-14

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: net: ena: PHC: Fix potential use-after-free in get_timestamp Move the phc->active check and resp pointer assignment to after acquiring the spinlock. Previously, phc->active was checked without holding the lock, and resp was cached from ena_dev->phc.virt_addr before the lock was acquired. If ena_com_phc_destroy() runs between the lockless active check and the lock acquisition, it sets active=false, releases the lock, frees the DMA memory, and sets virt_addr=NULL. The get_timestamp path would then read a NULL virt_addr and dereference it. With both the active check and the pointer read under the lock, destroy cannot free the memory while get_timestamp is using it.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-07-14
Generated
2026-07-15
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.19 (inc) to 7.0.10 (exc)
linux linux_kernel From 6.17 (inc) to 6.18.33 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's ena network driver related to the Precision Hardware Clock (PHC) functionality. The issue is a potential use-after-free bug in the get_timestamp function. Specifically, the code checked if the PHC was active without holding a lock, and then cached a pointer before acquiring a spinlock. If the PHC was destroyed concurrently between these steps, the memory could be freed and the pointer set to NULL, leading to a dereference of a NULL pointer. The fix involved moving the active check and pointer assignment to occur only after acquiring the spinlock, preventing the memory from being freed while it is still in use.

Impact Analysis

This vulnerability can lead to a use-after-free condition in the Linux kernel's network driver, which may cause system instability or crashes due to dereferencing a NULL pointer. Such behavior could potentially be exploited to cause denial of service or other unpredictable kernel behavior, impacting the reliability and availability of systems running vulnerable versions of the Linux kernel.

Mitigation Strategies

The vulnerability has been resolved by fixing the Linux kernel code to properly acquire a spinlock before checking and using the phc->active flag and resp pointer, preventing use-after-free conditions.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52971. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart