CVE-2026-53234
Received Received - Intake
Use-After-Free in IBM EMAC Linux Kernel Driver

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: ibm: emac: Fix use-after-free during device removal The driver was using devm_register_netdev() which causes unregister_netdev() to be deferred until the devres cleanup phase, which runs after emac_remove() returns. This creates a use-after-free window where: 1. emac_remove() is called, which tears down hardware (cancels work, detaches modules, unregisters from MAL) 2. emac_remove() returns 3. devres cleanup runs and finally calls unregister_netdev() During step 3, the network stack might still process packets, triggering emac_irq(), emac_poll(), or other handlers that access now-freed hardware resources (dev->emacp, dev->mal, etc.). Fix this by replacing devm_register_netdev() with manual register_netdev() and calling unregister_netdev() at the beginning of emac_remove(), before any hardware teardown. This ensures the network device is fully stopped and unregistered before hardware resources are released. The change is safe because: - dev->ndev is assigned very early in probe (before any error paths that could bypass emac_remove) - platform_set_drvdata() is only called after successful registration, so emac_remove() only runs for fully registered devices - unregister_netdev() is idempotent and safe to call on any registered device
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53234
EUVD
EUVD-2026-39325
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ibm emac *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free issue in the Linux kernel's IBM emac network driver during device removal.

The problem arises because the driver uses devm_register_netdev(), which defers unregistering the network device until after the device removal function (emac_remove()) returns.

During this deferred cleanup, the network stack might still process packets and call handlers that access hardware resources that have already been freed, leading to use-after-free.

The fix involves replacing devm_register_netdev() with manual register_netdev() and calling unregister_netdev() at the start of emac_remove(), ensuring the network device is fully stopped and unregistered before hardware resources are released.

Impact Analysis

This vulnerability can lead to use-after-free conditions where the network stack accesses freed hardware resources during device removal.

Such use-after-free bugs can cause system instability, crashes, or potentially allow attackers to execute arbitrary code or cause denial of service by exploiting the freed memory access.

Mitigation Strategies

To mitigate this vulnerability, ensure that the Linux kernel version you are using includes the fix that replaces devm_register_netdev() with manual register_netdev() and calls unregister_netdev() at the beginning of emac_remove().

This fix ensures that the network device is fully stopped and unregistered before hardware resources are released, preventing use-after-free conditions during device removal.

If you maintain custom or older kernel versions, update the ibm emac driver accordingly or upgrade to a kernel version that contains this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53234. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart