CVE-2026-53248
Received Received - Intake
Use-After-Free in Linux Kernel Airoha Driver

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: airoha: Fix use-after-free in metadata dst teardown airoha_metadata_dst_free() runs metadata_dst_free() which frees the metadata_dst with kfree() immediately, bypassing the RCU grace period. In the RX path, skb_dst_set_noref() sets a non-refcounted pointer from the skb to the metadata_dst. This function requires RCU read-side protection and the dst must remain valid until all RCU readers complete. Since metadata_dst_free() calls kfree() directly, an use-after-free can occur if any skb still holds a noref pointer to the dst when the driver tears it down. Replace metadata_dst_free() with dst_release() which properly goes through the refcount path: when the refcount drops to zero, it schedules the actual free via call_rcu_hurry(), ensuring all RCU readers have completed before the memory is freed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53248
EUVD
EUVD-2026-39199
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
airoha linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free issue in the Linux kernel's airoha network driver. Specifically, the function airoha_metadata_dst_free() frees a metadata destination object immediately using kfree(), bypassing the required RCU (Read-Copy-Update) grace period. Meanwhile, the RX path sets a non-reference-counted pointer to this metadata destination, which requires the object to remain valid until all RCU readers finish. Because the object is freed too early, any access to it afterward can lead to use-after-free errors.

The fix replaces the direct free call with a proper reference-counted release mechanism that delays freeing the memory until all RCU readers have completed, preventing the use-after-free condition.

Impact Analysis

This use-after-free vulnerability can lead to memory corruption, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges within the kernel. Such impacts can compromise the security and reliability of systems running the affected Linux kernel with the airoha driver.

Mitigation Strategies

The vulnerability is fixed by replacing the use of metadata_dst_free() with dst_release() in the Linux kernel's airoha driver, ensuring proper reference counting and safe memory freeing.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix for the airoha driver.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53248. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart