netfilter: nft_tunnel: fix use-after-free on object destroy

Summary

CVE	CVE-2026-53212
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-06-25 09:16:38 UTC
Updated	2026-06-25 09:16:38 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_tunnel: fix use-after-free on object destroy nft_tunnel_obj_destroy() calls metadata_dst_free() which directly kfree()s the metadata_dst, ignoring the dst_entry refcount. Packets that took a reference via dst_hold() in nft_tunnel_obj_eval() and are still queued (e.g. in a netem qdisc) are left with a dangling pointer. When these packets are eventually dequeued, dst_release() operates on freed memory. Replace metadata_dst_free() with dst_release() so the metadata_dst is freed only after all references are dropped. The dst subsystem already handles metadata_dst cleanup in dst_destroy() when DST_METADATA is set.

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected af308b94a2a4a5a27bec9028354c4df444a7c8ba 349df61526d2e39decc685d246202e3e284cfe05 git	Not specified
CNA	Linux	Linux	affected af308b94a2a4a5a27bec9028354c4df444a7c8ba 55b79b1ae42372012413ce0413181d26679b17ef git	Not specified
CNA	Linux	Linux	affected af308b94a2a4a5a27bec9028354c4df444a7c8ba 5e9ee18b27fde88cb6148202b33916c66693fe82 git	Not specified
CNA	Linux	Linux	affected af308b94a2a4a5a27bec9028354c4df444a7c8ba 8767fe4079affa74314d7eb3220e700150289842 git	Not specified
CNA	Linux	Linux	affected af308b94a2a4a5a27bec9028354c4df444a7c8ba fda6573a46ad24f35348e024905ee5bdf729797e git	Not specified
CNA	Linux	Linux	affected af308b94a2a4a5a27bec9028354c4df444a7c8ba 941d7394efda5e054e2d6f3e0dd0f6a9ba19aaa3 git	Not specified
CNA	Linux	Linux	affected af308b94a2a4a5a27bec9028354c4df444a7c8ba f9a0e4b61054cde89a2a77845293c726cc07cc43 git	Not specified
CNA	Linux	Linux	affected af308b94a2a4a5a27bec9028354c4df444a7c8ba c32b26aaa2f9216520a38b3f4bfeec846eb3eb8a git	Not specified
CNA	Linux	Linux	affected 4.19	Not specified
CNA	Linux	Linux	unaffected 4.19 semver	Not specified
CNA	Linux	Linux	unaffected 5.10.259 5.10.* semver	Not specified
CNA	Linux	Linux	unaffected 5.15.210 5.15.* semver	Not specified
CNA	Linux	Linux	unaffected 6.1.176 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.143 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.94 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.36 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0.13 7.0.* semver	Not specified
CNA	Linux	Linux	unaffected 7.1 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/c32b26aaa2f9216520a38b3f4bfeec846eb3eb8a	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/f9a0e4b61054cde89a2a77845293c726cc07cc43	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/8767fe4079affa74314d7eb3220e700150289842	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/349df61526d2e39decc685d246202e3e284cfe05	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/5e9ee18b27fde88cb6148202b33916c66693fe82	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/55b79b1ae42372012413ce0413181d26679b17ef	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/941d7394efda5e054e2d6f3e0dd0f6a9ba19aaa3	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/fda6573a46ad24f35348e024905ee5bdf729797e	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.