CVE-2026-53212 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_tunnel: fix use-after-free on object destroy nft_tunnel_obj_destroy() calls metadata_dst_free() which directly kfree()s the metadata_dst, ignoring the dst_entry refcount. Packets that took a reference via dst_hold() in nft_tunnel_obj_eval() and are still queued (e.g. in a netem qdisc) are left with a dangling pointer. When these packets are eventually dequeued, dst_release() operates on freed memory. Replace metadata_dst_free() with dst_release() so the metadata_dst is freed only after all references are dropped. The dst subsystem already handles metadata_dst cleanup in dst_destroy() when DST_METADATA is set.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products

References

Link	Providers
https://git.kernel.org/stable/c/349df61526d2e39decc685d246202e3e284cfe05
https://git.kernel.org/stable/c/55b79b1ae42372012413ce0413181d26679b17ef
https://git.kernel.org/stable/c/5e9ee18b27fde88cb6148202b33916c66693fe82
https://git.kernel.org/stable/c/8767fe4079affa74314d7eb3220e700150289842
https://git.kernel.org/stable/c/941d7394efda5e054e2d6f3e0dd0f6a9ba19aaa3
https://git.kernel.org/stable/c/c32b26aaa2f9216520a38b3f4bfeec846eb3eb8a
https://git.kernel.org/stable/c/f9a0e4b61054cde89a2a77845293c726cc07cc43
https://git.kernel.org/stable/c/fda6573a46ad24f35348e024905ee5bdf729797e

History

Thu, 25 Jun 2026 11:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_tunnel: fix use-after-free on object destroy nft_tunnel_obj_destroy() calls metadata_dst_free() which directly kfree()s the metadata_dst, ignoring the dst_entry refcount. Packets that took a reference via dst_hold() in nft_tunnel_obj_eval() and are still queued (e.g. in a netem qdisc) are left with a dangling pointer. When these packets are eventually dequeued, dst_release() operates on freed memory. Replace metadata_dst_free() with dst_release() so the metadata_dst is freed only after all references are dropped. The dst subsystem already handles metadata_dst cleanup in dst_destroy() when DST_METADATA is set.
Title		netfilter: nft_tunnel: fix use-after-free on object destroy
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/349df61526d2e39decc685d246202e3e284cfe05 https://git.kernel.org/stable/c/55b79b1ae42372012413ce0413181d26679b17ef https://git.kernel.org/stable/c/5e9ee18b27fde88cb6148202b33916c66693fe82 https://git.kernel.org/stable/c/8767fe4079affa74314d7eb3220e700150289842 https://git.kernel.org/stable/c/941d7394efda5e054e2d6f3e0dd0f6a9ba19aaa3 https://git.kernel.org/stable/c/c32b26aaa2f9216520a38b3f4bfeec846eb3eb8a https://git.kernel.org/stable/c/f9a0e4b61054cde89a2a77845293c726cc07cc43 https://git.kernel.org/stable/c/fda6573a46ad24f35348e024905ee5bdf729797e

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:39:16.888Z

Updated: 2026-06-25T08:39:16.888Z

Reserved: 2026-06-09T07:44:35.391Z

Link: CVE-2026-53212

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T11:30:06Z

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object