CVE-2026-52982
Received Received - Intake
Use-After-Free in RTL8150 USB Ethernet Driver

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit() syzbot reported a KASAN slab-use-after-free read in rtl8150_start_xmit() when accessing skb->len for tx statistics after usb_submit_urb() has been called: BUG: KASAN: slab-use-after-free in rtl8150_start_xmit+0x71f/0x760 drivers/net/usb/rtl8150.c:712 Read of size 4 at addr ffff88810eb7a930 by task kworker/0:4/5226 The URB completion handler write_bulk_callback() frees the skb via dev_kfree_skb_irq(dev->tx_skb). The URB may complete on another CPU in softirq context before usb_submit_urb() returns in the submitter, so by the time the submitter reads skb->len the skb has already been queued to the per-CPU completion_queue and freed by net_tx_action(): CPU A (xmit) CPU B (USB completion softirq) ------------ ------------------------------ dev->tx_skb = skb; usb_submit_urb() --+ |-------> write_bulk_callback() | dev_kfree_skb_irq(dev->tx_skb) | net_tx_action() | napi_skb_cache_put() <-- free netdev->stats.tx_bytes | += skb->len; <-- UAF read Fix it by caching skb->len before submitting the URB and using the cached value when updating the tx_bytes counter. The pre-existing tx_bytes semantics are preserved: the counter tracks the original frame length (skb->len), not the ETH_ZLEN/USB-alignment padded "count" value that is handed to the device. Changing that would be a user-visible accounting change and is out of scope for this UAF fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-52982
EUVD
EUVD-2026-38850
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free (UAF) bug in the Linux kernel's USB network driver rtl8150. It occurs in the function rtl8150_start_xmit(), where the code reads the length of a network packet (skb->len) after the packet has already been freed. Specifically, the packet buffer (skb) is freed asynchronously by a USB completion handler before the original function finishes using it, leading to a read from freed memory.

The root cause is that the driver reads skb->len for transmission statistics after calling usb_submit_urb(), but the USB request block (URB) may complete on another CPU and free the skb before the read happens. This results in a use-after-free condition.

The fix involved caching the skb->len value before submitting the URB and then using this cached value for updating the transmission byte counter, preventing access to freed memory.

Impact Analysis

This use-after-free vulnerability can lead to undefined behavior in the kernel, including potential crashes or memory corruption. Since it involves reading freed memory, it could be exploited to cause denial of service or potentially escalate privileges if an attacker can manipulate the timing and contents of the freed memory.

However, the description does not specify any direct exploit or impact beyond the use-after-free read, so the primary impact is instability or security risks associated with kernel memory corruption.

Mitigation Strategies

The vulnerability has been fixed in the Linux kernel by caching skb->len before submitting the URB and using the cached value when updating the tx_bytes counter to avoid use-after-free conditions.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix for the rtl8150 driver.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52982. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart