net: ibm: emac: Fix use-after-free during device removal
Summary
| CVE | CVE-2026-53234 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-25 09:16:41 UTC |
| Updated | 2026-06-25 09:16:41 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: net: ibm: emac: Fix use-after-free during device removal The driver was using devm_register_netdev() which causes unregister_netdev() to be deferred until the devres cleanup phase, which runs after emac_remove() returns. This creates a use-after-free window where: 1. emac_remove() is called, which tears down hardware (cancels work, detaches modules, unregisters from MAL) 2. emac_remove() returns 3. devres cleanup runs and finally calls unregister_netdev() During step 3, the network stack might still process packets, triggering emac_irq(), emac_poll(), or other handlers that access now-freed hardware resources (dev->emacp, dev->mal, etc.). Fix this by replacing devm_register_netdev() with manual register_netdev() and calling unregister_netdev() at the beginning of emac_remove(), before any hardware teardown. This ensures the network device is fully stopped and unregistered before hardware resources are released. The change is safe because: - dev->ndev is assigned very early in probe (before any error paths that could bypass emac_remove) - platform_set_drvdata() is only called after successful registration, so emac_remove() only runs for fully registered devices - unregister_netdev() is idempotent and safe to call on any registered device |
Risk And Classification
EPSS: 0.001760000 probability, percentile 0.073050000 (date 2026-06-25)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected a4dd8535a527061a01f2fd335596fa77ca240a96 cf8e14db93eaecc4c0c58299be3b3183b0e53ed5 git | Not specified |
| CNA | Linux | Linux | affected a4dd8535a527061a01f2fd335596fa77ca240a96 c09c2e236eef6f59e105f38a30f5439e6ccbcad7 git | Not specified |
| CNA | Linux | Linux | affected a4dd8535a527061a01f2fd335596fa77ca240a96 c12584cd6078085d707266be864e7e1cc91d74e3 git | Not specified |
| CNA | Linux | Linux | affected a4dd8535a527061a01f2fd335596fa77ca240a96 a0130d682222ae21afc395aead7cd2d87e1a8358 git | Not specified |
| CNA | Linux | Linux | affected 6.12 | Not specified |
| CNA | Linux | Linux | unaffected 6.12 semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.94 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.36 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0.13 7.0.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.1 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/a0130d682222ae21afc395aead7cd2d87e1a8358 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/c09c2e236eef6f59e105f38a30f5439e6ccbcad7 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/c12584cd6078085d707266be864e7e1cc91d74e3 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/cf8e14db93eaecc4c0c58299be3b3183b0e53ed5 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.