CVE-2026-53212
Received Received - Intake
Use-After-Free in Linux Kernel nft_tunnel

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_tunnel: fix use-after-free on object destroy nft_tunnel_obj_destroy() calls metadata_dst_free() which directly kfree()s the metadata_dst, ignoring the dst_entry refcount. Packets that took a reference via dst_hold() in nft_tunnel_obj_eval() and are still queued (e.g. in a netem qdisc) are left with a dangling pointer. When these packets are eventually dequeued, dst_release() operates on freed memory. Replace metadata_dst_free() with dst_release() so the metadata_dst is freed only after all references are dropped. The dst subsystem already handles metadata_dst cleanup in dst_destroy() when DST_METADATA is set.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53212
EUVD
EUVD-2026-39303
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free issue in the Linux kernel's netfilter nft_tunnel component. Specifically, the function nft_tunnel_obj_destroy() improperly frees memory by calling metadata_dst_free(), which ignores the reference count of the metadata_dst object. As a result, packets that still hold references to this object but are queued (for example, in a netem qdisc) end up with dangling pointers. When these packets are later processed, the system attempts to access memory that has already been freed, leading to undefined behavior.

The fix replaces metadata_dst_free() with dst_release(), ensuring that the metadata_dst object is only freed after all references to it are dropped, preventing the use-after-free condition.

Impact Analysis

This use-after-free vulnerability can lead to system instability or crashes due to accessing freed memory. It may also be exploitable by attackers to execute arbitrary code or cause denial of service, depending on the context in which the freed memory is accessed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53212. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart