wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work()
Summary
| CVE | CVE-2026-53098 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-24 17:17:24 UTC |
| Updated | 2026-06-24 17:17:24 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work() When the mt7915 pci chip is detaching, the mt7915_crash_data is released in mt7915_coredump_unregister(). However, the work item dump_work may still be running or pending, leading to UAF bugs when the already freed crash_data is dereferenced again in mt7915_mac_dump_work(). The race condition can occur as follows: CPU 0 (removal path) | CPU 1 (workqueue) mt7915_pci_remove() | mt7915_sys_recovery_set() mt7915_unregister_device() | mt7915_reset() mt7915_coredump_unregister() | queue_work() vfree(dev->coredump.crash_data) | mt7915_mac_dump_work() | crash_data-> // UAF Fix this by ensuring dump_work is properly canceled before the crash_data is deallocated. Add cancel_work_sync() in mt7915_unregister_device() to synchronize with any pending or executing dump work. |
Risk And Classification
EPSS: 0.001680000 probability, percentile 0.063830000 (date 2026-06-29)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 4dbcb9125cc3e10a6d879c10e4f5816d05a87c49 6d5202409467d621b6d1dfd7fc7dadb997fe66d2 git | Not specified |
| CNA | Linux | Linux | affected 4dbcb9125cc3e10a6d879c10e4f5816d05a87c49 e6856af8a22a8e2cd18241a465ed00c2301b3a5e git | Not specified |
| CNA | Linux | Linux | affected 4dbcb9125cc3e10a6d879c10e4f5816d05a87c49 6b7cbb13c838cf2a5f2e7be0e96fe15250087939 git | Not specified |
| CNA | Linux | Linux | affected 4dbcb9125cc3e10a6d879c10e4f5816d05a87c49 21ce6d867867645fff0ef657be18f61d9f39dcd8 git | Not specified |
| CNA | Linux | Linux | affected 4dbcb9125cc3e10a6d879c10e4f5816d05a87c49 1146d0946b5358fad24812bd39d68f31cd40cc34 git | Not specified |
| CNA | Linux | Linux | affected 6.2 | Not specified |
| CNA | Linux | Linux | unaffected 6.2 semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.141 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.91 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.33 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0.10 7.0.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.1 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/21ce6d867867645fff0ef657be18f61d9f39dcd8 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/e6856af8a22a8e2cd18241a465ed00c2301b3a5e | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/6b7cbb13c838cf2a5f2e7be0e96fe15250087939 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/1146d0946b5358fad24812bd39d68f31cd40cc34 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/6d5202409467d621b6d1dfd7fc7dadb997fe66d2 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.