CVE-2026-53300
Received Received - Intake
Use-After-Free in Linux Kernel ENETC Driver

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: enetc: fix NTMP DMA use-after-free issue The AI-generated review reported a potential DMA use-after-free issue [1]. If netc_xmit_ntmp_cmd() times out and returns an error, the pending command is not explicitly aborted, while ntmp_free_data_mem() unconditionally frees the DMA buffer. If the buffer has already been reallocated elsewhere, this may lead to silent memory corruption. Because the hardware eventually processes the pending command and perform a DMA write of the response to the physical address of the freed buffer. To resolve this issue, this patch does the following modifications: 1. Convert cbdr->ring_lock from a spinlock to a mutex The lock was originally a spinlock in case NTMP operations might be invoked from atomic context. After downstream support for all NTMP tables, no such usage has materialized. A mutex lock is now required because the driver now needs to reclaim used BDs and release associated DMA memory within the lock's context, while dma_free_coherent() might sleep. 2. Introduce software command BD (struct netc_swcbd) The hardware write-back overwrites the addr and len fields of the BD, so the driver cannot rely on the hardware BD to free the associated DMA memory. The driver now maintains a software shadow BD storing the DMA buffer pointer, DMA address, and size. And netc_xmit_ntmp_cmd() only reclaims older BDs when the number of used BDs reaches NETC_CBDR_CLEAN_WORK (16). The software BD enables correct DMA memory release. With this, struct ntmp_dma_buf and ntmp_free_data_mem() are no longer needed and are removed. 3. Require callers to hold ring_lock across netc_xmit_ntmp_cmd() netc_xmit_ntmp_cmd() releases the ring_lock before the caller finishes consuming the response. At this point, if a concurrent thread submits a new command, it may trigger ntmp_clean_cbdr() and free the DMA buffer while it is still in use. Move ring_lock ownership to the caller to ensure the response buffer cannot be reclaimed prematurely. So the helpers ntmp_select_and_lock_cbdr() and ntmp_unlock_cbdr() are added. These changes eliminate the DMA use-after-free condition and ensure safe and consistent BD reclamation and DMA buffer lifecycle management.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-53300
EUVD
EUVD-2026-39835
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a DMA use-after-free issue in the Linux kernel's enetc network driver. Specifically, if the function netc_xmit_ntmp_cmd() times out and returns an error, the pending command is not explicitly aborted, but the DMA buffer is unconditionally freed. If that buffer has already been reallocated elsewhere, the hardware may still perform a DMA write to the physical address of the freed buffer, leading to silent memory corruption.

The issue arises because the driver relied on hardware descriptors (BDs) that get overwritten by hardware write-back, making it impossible to safely free DMA memory. The fix involved converting a spinlock to a mutex, introducing a software shadow BD to track DMA buffers correctly, and requiring callers to hold a lock across the transmission command to prevent premature freeing of buffers.

Impact Analysis

This vulnerability can lead to silent memory corruption in the Linux kernel's network driver. Such corruption can cause system instability, crashes, or unpredictable behavior. Because the hardware may write data to freed memory buffers, it could potentially overwrite other data, leading to data integrity issues or security risks such as privilege escalation or denial of service.

Mitigation Strategies

This vulnerability has been resolved by a patch to the Linux kernel that fixes the NTMP DMA use-after-free issue in the enetc driver.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

  • Apply the patch that converts cbdr->ring_lock from a spinlock to a mutex.
  • Ensure the driver uses the software command BD (struct netc_swcbd) to manage DMA buffer pointers safely.
  • Make sure callers hold the ring_lock across netc_xmit_ntmp_cmd() to prevent premature DMA buffer reclamation.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53300. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart