CVE-2026-53097
Received Received - Intake
Use-After-Free in MediaTek mt76 WiFi Driver

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work() When the mt7996 pci chip is detaching, the mt7996_crash_data is released in mt7996_coredump_unregister(). However, the work item dump_work may still be running or pending, leading to UAF bugs when the already freed crash_data is dereferenced again in mt7996_mac_dump_work(). The race condition can occur as follows: CPU 0 (removal path) | CPU 1 (workqueue) mt7996_pci_remove() | mt7996_sys_recovery_set() mt7996_unregister_device() | mt7996_reset() mt7996_coredump_unregister() | queue_work() vfree(dev->coredump.crash_data) | mt7996_mac_dump_work() | crash_data-> // UAF Fix this by ensuring dump_work is properly canceled before the crash_data is deallocated. Add cancel_work_sync() in mt7996_unregister_device() to synchronize with any pending or executing dump work.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53097
EUVD
EUVD-2026-38965
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free (UAF) bug in the Linux kernel's mt7996 PCI wifi chip driver. When the mt7996 device is being removed, its crash data is freed, but a work item called dump_work may still be running or queued. If dump_work accesses the already freed crash data, it causes a use-after-free error.

The issue arises from a race condition between the device removal path and the workqueue execution. The fix involves properly canceling the dump_work before freeing the crash data to prevent it from accessing invalid memory.

Impact Analysis

This use-after-free vulnerability can lead to undefined behavior such as system crashes, memory corruption, or potential escalation of privileges if exploited. It may destabilize the system or cause denial of service by crashing the kernel or corrupting kernel memory.

Mitigation Strategies

To mitigate this vulnerability, ensure that the Linux kernel version you are using includes the fix for the use-after-free bugs in mt7996_mac_dump_work(). This fix involves properly canceling the dump_work before the crash_data is deallocated by adding cancel_work_sync() in mt7996_unregister_device().

Therefore, the immediate step is to update your Linux kernel to a version that contains this patch.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53097. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart