CVE-2026-53247: net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown
In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown mtk_free_dev() calls metadata_dst_free() which frees the metadata_dst with kfree() immediately, bypassing the RCU grace period. In the RX path, skb_dst_set_noref() sets a non-refcounted pointer from the skb to the metadata_dst. This function requires RCU read-side protection and the dst must remain valid until all RCU readers complete. Since metadata_dst_free() calls kfree() directly, a use-after-free can occur if any skb still holds a noref pointer to the dst when the driver tears it down. Replace metadata_dst_free() with dst_release() which properly goes through the refcount path: when the refcount drops to zero, it schedules the actual free via call_rcu_hurry(), ensuring all RCU readers have completed before the memory is freed.
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- 0
- Affected Products
- 2
HarborGuard Analysis
Synopsis
A use-after-free vulnerability exists in the Linux kernel's MediaTek Ethernet driver (mtk_eth_soc). The flaw is reachable over the network with no authentication required, and affects systems where the driver tears down a metadata destination structure without honoring the RCU (Read-Copy-Update) grace period, leaving dangling pointers accessible to concurrent RCU readers in the receive path. Successful exploitation gives an attacker full read, write, and denial-of-service capability over the affected system. Patched kernel versions 6.6.143 and 6.12.94 are available, and a patched-image rebuild is available on HarborGuard for environments running an affected kernel version.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that carry affected Linux kernel versions. Any image whose kernel package falls within the affected version range is flagged automatically during both registry scans and CI pipeline checks.
AvailableHarborGuard scores this CVE at CVSS 9.8 (Critical, v3.1) and surfaces it at the top of each affected environment's vulnerability queue. Per-environment compliance policy weighting is applied, and findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.
AvailableA patched-image rebuild at kernel versions 6.6.143 or 6.12.94 becomes available on HarborGuard as soon as the upstream fix is confirmed for a given image's base. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the resulting image, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must be able to reach the affected service over the network; the CVSS vector specifies AV:N, meaning no local or physical access is required.
- AuthenticationNot required
No credentials or prior account access are needed; the CVSS vector specifies PR:N.
- Victim interactionNot required
Exploitation requires no action from any user or operator on the target system; the CVSS vector specifies UI:N.
- Attack complexityDetail
Attack complexity is rated Low (AC:L), meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other hard-to-control environmental factors.
Blast Radius
- An attacker who triggers the use-after-free can read arbitrary kernel memory, exposing cryptographic keys, session tokens, and other sensitive data held in kernel structures.
- The write primitive obtained through the freed memory region allows modification of kernel data structures, enabling privilege escalation or injection of attacker-controlled code paths.
- The driver can be crashed by corrupting freed memory, taking down the network interface and any workloads depending on it.
- Because the flaw lives in the kernel receive path, a remote attacker sending crafted network traffic can repeatedly trigger the condition without requiring a foothold on the host.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of CVE publication for any image whose kernel version falls in the affected range, covering both registry-resident images and those built in CI pipelines. Where compliance policy permits, auto-remediation customers receive a rebuilt image pinned to kernel 6.6.143 or 6.12.94, a regression test run against the rebuilt image, and a pull request opened against affected workloads. Median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding as a critical priority item with direct links to the upstream commits (2d86aeb46d5f69c704065a8c69822582787272a1 and 459c6f35c58cf0fd5247e55d73ddaa29571d9b7e) so engineering teams can prioritize the kernel update manually. As a compensating control while a rebuild is in progress, network policy rules that restrict inbound traffic to the affected Ethernet interface can reduce exposure surface.
Fix available
- Linux / Linux< 72775977e89c25c99ee84d2c5baa3f86a8ba5cb4 (from 2d7605a729062bb554f03c5983d8cfb8c0b42e9c) · < 459c6f35c58cf0fd5247e55d73ddaa29571d9b7e (from 2d7605a729062bb554f03c5983d8cfb8c0b42e9c) · < e634408d2b0cd939cfe019398a21fb47b7a8ffe3 (from 2d7605a729062bb554f03c5983d8cfb8c0b42e9c) · < 2d86aeb46d5f69c704065a8c69822582787272a1 (from 2d7605a729062bb554f03c5983d8cfb8c0b42e9c) · < 80df409e1a483676826a6c66e693dba6ac507751 (from 2d7605a729062bb554f03c5983d8cfb8c0b42e9c)
- Linux / Linux6.2Fixed in 0, 6.6.143, 6.12.94, 6.18.36, 7.0.13, 7.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H