CVE-2026-53098
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work() When the mt7915 pci chip is detaching, the mt7915_crash_data is released in mt7915_coredump_unregister(). However, the work item dump_work may still be running or pending, leading to UAF bugs when the already freed crash_data is dereferenced again in mt7915_mac_dump_work(). The race condition can occur as follows: CPU 0 (removal path) | CPU 1 (workqueue) mt7915_pci_remove() | mt7915_sys_recovery_set() mt7915_unregister_device() | mt7915_reset() mt7915_coredump_unregister() | queue_work() vfree(dev->coredump.crash_data) | mt7915_mac_dump_work() | crash_data-> // UAF Fix this by ensuring dump_work is properly canceled before the crash_data is deallocated. Add cancel_work_sync() in mt7915_unregister_device() to synchronize with any pending or executing dump work.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53098
EUVD
EUVD-2026-38966
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free (UAF) bug in the Linux kernel's mt7915 wifi driver. It occurs when the mt7915 PCI chip is being detached. During this process, the crash data structure (mt7915_crash_data) is freed, but a work item called dump_work may still be running or queued. If dump_work accesses the already freed crash_data, it leads to a use-after-free condition, which is a type of memory error.

The issue arises due to a race condition between the removal path on one CPU and the workqueue on another CPU. The fix involves properly canceling the dump_work before freeing the crash_data by adding cancel_work_sync() in the unregister function to ensure synchronization.

Impact Analysis

A use-after-free vulnerability can lead to undefined behavior such as system crashes, memory corruption, or potentially allow an attacker to execute arbitrary code with kernel privileges. In this specific case, it could destabilize the wifi driver or the entire system when the mt7915 PCI chip is detached, potentially leading to denial of service or security breaches.

Mitigation Strategies

To mitigate this vulnerability, ensure that the Linux kernel version you are using includes the fix for the mt7915 use-after-free bugs in mt7915_mac_dump_work().

Specifically, the fix involves adding cancel_work_sync() in mt7915_unregister_device() to properly cancel any pending or executing dump work before the crash_data is deallocated.

Therefore, updating your kernel to a version released on or after 2026-06-24 that contains this patch is the immediate step to prevent this race condition and use-after-free issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53098. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart