CVE-2026-53247
net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown
Description
In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown mtk_free_dev() calls metadata_dst_free() which frees the metadata_dst with kfree() immediately, bypassing the RCU grace period. In the RX path, skb_dst_set_noref() sets a non-refcounted pointer from the skb to the metadata_dst. This function requires RCU read-side protection and the dst must remain valid until all RCU readers complete. Since metadata_dst_free() calls kfree() directly, a use-after-free can occur if any skb still holds a noref pointer to the dst when the driver tears it down. Replace metadata_dst_free() with dst_release() which properly goes through the refcount path: when the refcount drops to zero, it schedules the actual free via call_rcu_hurry(), ensuring all RCU readers have completed before the memory is freed.
INFO
Published Date :
June 25, 2026, 8:39 a.m.
Last Modified :
June 25, 2026, 8:39 a.m.
Remotely Exploit :
No
Source :
Linux
Affected Products
The following products are affected by CVE-2026-53247
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
Solution
- Replace metadata_dst_free() with dst_release() in mtk_eth_soc driver.
- Ensure skb pointers to metadata_dst are handled correctly.
- Apply the fix to the Linux kernel.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-53247 vulnerability anywhere in the article.