HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-52982Published Modified CNA Linux

CVE-2026-52982: net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()

In the Linux kernel, the following vulnerability has been resolved: net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit() syzbot reported a KASAN slab-use-after-free read in rtl8150_start_xmit() when accessing skb->len for tx statistics after usb_submit_urb() has been called: BUG: KASAN: slab-use-after-free in rtl8150_start_xmit+0x71f/0x760 drivers/net/usb/rtl8150.c:712 Read of size 4 at addr ffff88810eb7a930 by task kworker/0:4/5226 The URB completion handler write_bulk_callback() frees the skb via dev_kfree_skb_irq(dev->tx_skb). The URB may complete on another CPU in softirq context before usb_submit_urb() returns in the submitter, so by the time the submitter reads skb->len the skb has already been queued to the per-CPU completion_queue and freed by net_tx_action(): CPU A (xmit) CPU B (USB completion softirq) ------------ ------------------------------ dev->tx_skb = skb; usb_submit_urb() --+ |-------> write_bulk_callback() | dev_kfree_skb_irq(dev->tx_skb) | net_tx_action() | napi_skb_cache_put() <-- free netdev->stats.tx_bytes | += skb->len; <-- UAF read Fix it by caching skb->len before submitting the URB and using the cached value when updating the tx_bytes counter. The pre-existing tx_bytes semantics are preserved: the counter tracks the original frame length (skb->len), not the ETH_ZLEN/USB-alignment padded "count" value that is handed to the device. Changing that would be a user-visible accounting change and is out of scope for this UAF fix.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the Linux kernel's rtl8150 USB network driver, specifically in the rtl8150_start_xmit() function. The flaw is reachable over the network with no authentication required, because a remote peer triggering transmit completion on a second CPU can free the socket buffer (skb) before the submitting CPU finishes reading skb->len for statistics. Successful exploitation allows an attacker to read freed kernel memory, corrupt kernel data structures, or crash the host, enabling full confidentiality loss, data tampering, and denial of service. Patched-image rebuilds at the fix commits are available on HarborGuard for environments running affected kernel versions.

HarborGuard Coverage

Detection

Detection of CVE-2026-52982 is available across every HarborGuard environment; the CVE is ingested from upstream Linux kernel advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle an affected kernel version.

Available
Triage

HarborGuard scores this CVE at 9.8 CRITICAL (CVSS v3.1) and surfaces it with that severity weighting inside each customer org's compliance policy engine, routing the finding to the appropriate team inbox based on policy configuration.

Available
Patch

A patched-image rebuild at the upstream fix commits is available on HarborGuard for any image found running an affected kernel version. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs regression tests, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable code path is exercised during USB transmit, which can be triggered by network traffic arriving over the network interface, so the attacker must be able to reach the target service over the network.

  • AuthenticationNot required

    No authentication is required; the CVSS vector specifies PR:N, meaning an unauthenticated remote peer can trigger the race condition.

  • Victim interactionNot required

    No user or administrator action is needed to trigger exploitation; the race condition occurs automatically during normal transmit processing (UI:N).

  • Attack complexityDetail

    Attack complexity is rated Low (AC:L), meaning the race condition can be reliably triggered without needing specific memory layouts, timing windows beyond normal concurrent CPU execution, or other environmental preconditions.

Blast Radius

  • An attacker who wins the race reads freed kernel slab memory, which can expose sensitive kernel data including credentials, session tokens, or key material held in recently freed buffers.
  • The freed memory region can be reallocated and overwritten, allowing corruption of kernel data structures and enabling privilege escalation or arbitrary code execution in kernel context.
  • The invalid memory read can trigger a kernel panic, crashing the host and taking down all workloads running on the affected node.
  • Any container or workload sharing the host kernel is affected if the vulnerable rtl8150 USB network driver is loaded, regardless of network namespace isolation.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-52982 is active across the platform and matches against any image whose kernel version falls within the affected range. For environments with auto-remediation enabled, HarborGuard generates a rebuilt image pinned to a commit at or after the upstream fix, runs a regression test suite, and opens a pull request against affected workloads; for high and critical severity issues the median time from CVE publication to merged patch PR is around 90 minutes in such environments. For customers who have not opted into auto-remediation, the finding is surfaced in the HarborGuard dashboard with the full CVSS context and fix-commit details so engineering teams can prioritize their own rebuild. Where compliance policy or operational constraints prevent immediate patching, network-policy isolation of hosts running rtl8150-backed interfaces and restricting untrusted external traffic to those interfaces are viable compensating controls to reduce exposure while a kernel update is prepared.

See how HarborGuard automates this

Fix available

023f0e34c64acba15cad4d23e50f41f533da195fa24831b0b2ada9fef18d1f486b7b7c444ee5ba63730cf9829d09ca958279c937af8e35495cd2f1e09423b5b86e14e190f6e3161eb5f2ea5f908295ba74dd7eb94f79486b77ca6b4c8676aedbc465dc8025.10.2585.15.2095af290c86fa81ddbc86a08d54229af5daa40c6a45db090ca07b28a63fb1499690cf19a3f3adafacb6.1.1756.6.1416.12.916.18.336999d70e0eda39af029fa1891c48f0a8832b09d57.0.107.1
Affected packages
  • Linux / Linux
    < 5af290c86fa81ddbc86a08d54229af5daa40c6a4 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 24831b0b2ada9fef18d1f486b7b7c444ee5ba637 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 423b5b86e14e190f6e3161eb5f2ea5f908295ba7 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 5db090ca07b28a63fb1499690cf19a3f3adafacb (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 30cf9829d09ca958279c937af8e35495cd2f1e09 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 6999d70e0eda39af029fa1891c48f0a8832b09d5 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2)
  • Linux / Linux
    2.6.12
    Fixed in 0, 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, 7.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References