CVE-2026-53097

ANALYSIS PENDING

wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work()

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work() When the mt7996 pci chip is detaching, the mt7996_crash_data is released in mt7996_coredump_unregister(). However, the work item dump_work may still be running or pending, leading to UAF bugs when the already freed crash_data is dereferenced again in mt7996_mac_dump_work(). The race condition can occur as follows: CPU 0 (removal path) | CPU 1 (workqueue) mt7996_pci_remove() | mt7996_sys_recovery_set() mt7996_unregister_device() | mt7996_reset() mt7996_coredump_unregister() | queue_work() vfree(dev->coredump.crash_data) | mt7996_mac_dump_work() | crash_data-> // UAF Fix this by ensuring dump_work is properly canceled before the crash_data is deallocated. Add cancel_work_sync() in mt7996_unregister_device() to synchronize with any pending or executing dump work.

Scores

EPSS 0.0017
EPSS Percentile 6.3%

Details

Status published
Products (13)
linux/Kernel 6.13.0 - 6.18.33linux
linux/Kernel 6.19.0 - 7.0.10linux
linux/Kernel 6.4.0 - 6.12.91linux
Linux/Linux < 6.4
Linux/Linux 6.12.91 - 6.12.*
Linux/Linux 6.18.33 - 6.18.*
Linux/Linux 6.4
Linux/Linux 7.0.10 - 7.0.*
Linux/Linux 7.1
Linux/Linux 878161d5d4a469a6ef7f3fb4fe9f676bc508ee99 - 180182a3f23ff79430a32ca2c4c1885368ceab48
... and 3 more
Published Jun 24, 2026
Tracked Since Jun 24, 2026