CVE-2026-52982
Analyzed Analyzed - Analysis Complete

Use-After-Free in RTL8150 USB Ethernet Driver

Vulnerability report for CVE-2026-52982, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-07-14

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit() syzbot reported a KASAN slab-use-after-free read in rtl8150_start_xmit() when accessing skb->len for tx statistics after usb_submit_urb() has been called: BUG: KASAN: slab-use-after-free in rtl8150_start_xmit+0x71f/0x760 drivers/net/usb/rtl8150.c:712 Read of size 4 at addr ffff88810eb7a930 by task kworker/0:4/5226 The URB completion handler write_bulk_callback() frees the skb via dev_kfree_skb_irq(dev->tx_skb). The URB may complete on another CPU in softirq context before usb_submit_urb() returns in the submitter, so by the time the submitter reads skb->len the skb has already been queued to the per-CPU completion_queue and freed by net_tx_action(): CPU A (xmit) CPU B (USB completion softirq) ------------ ------------------------------ dev->tx_skb = skb; usb_submit_urb() --+ |-------> write_bulk_callback() | dev_kfree_skb_irq(dev->tx_skb) | net_tx_action() | napi_skb_cache_put() <-- free netdev->stats.tx_bytes | += skb->len; <-- UAF read Fix it by caching skb->len before submitting the URB and using the cached value when updating the tx_bytes counter. The pre-existing tx_bytes semantics are preserved: the counter tracks the original frame length (skb->len), not the ETH_ZLEN/USB-alignment padded "count" value that is handed to the device. Changing that would be a user-visible accounting change and is out of scope for this UAF fix.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-07-14
Generated
2026-07-15
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 13 associated CPEs
Vendor Product Version / Range
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 7.1
linux linux_kernel From 6.2 (inc) to 6.6.141 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.91 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.33 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.10 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.175 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.209 (exc)
linux linux_kernel From 2.6.12.1 (inc) to 5.10.258 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free (UAF) bug in the Linux kernel's USB network driver rtl8150. It occurs in the function rtl8150_start_xmit(), where the code reads the length of a network packet (skb->len) after the packet has already been freed. Specifically, the packet buffer (skb) is freed asynchronously by a USB completion handler before the original function finishes using it, leading to a read from freed memory.

The root cause is that the driver reads skb->len for transmission statistics after calling usb_submit_urb(), but the USB request block (URB) may complete on another CPU and free the skb before the read happens. This results in a use-after-free condition.

The fix involved caching the skb->len value before submitting the URB and then using this cached value for updating the transmission byte counter, preventing access to freed memory.

Impact Analysis

This use-after-free vulnerability can lead to undefined behavior in the kernel, including potential crashes or memory corruption. Since it involves reading freed memory, it could be exploited to cause denial of service or potentially escalate privileges if an attacker can manipulate the timing and contents of the freed memory.

However, the description does not specify any direct exploit or impact beyond the use-after-free read, so the primary impact is instability or security risks associated with kernel memory corruption.

Mitigation Strategies

The vulnerability has been fixed in the Linux kernel by caching skb->len before submitting the URB and using the cached value when updating the tx_bytes counter to avoid use-after-free conditions.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix for the rtl8150 driver.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52982. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart