{"api_version":"1","generated_at":"2026-06-27T07:37:23+00:00","cve":"CVE-2026-53300","urls":{"html":"https://cve.report/CVE-2026-53300","api":"https://cve.report/api/cve/CVE-2026-53300.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-53300","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-53300"},"summary":{"title":"net: enetc: fix NTMP DMA use-after-free issue","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: enetc: fix NTMP DMA use-after-free issue\n\nThe AI-generated review reported a potential DMA use-after-free issue\n[1]. If netc_xmit_ntmp_cmd() times out and returns an error, the pending\ncommand is not explicitly aborted, while ntmp_free_data_mem()\nunconditionally frees the DMA buffer. If the buffer has already been\nreallocated elsewhere, this may lead to silent memory corruption. Because\nthe hardware eventually processes the pending command and perform a DMA\nwrite of the response to the physical address of the freed buffer.\n\nTo resolve this issue, this patch does the following modifications:\n\n1. Convert cbdr->ring_lock from a spinlock to a mutex\n\nThe lock was originally a spinlock in case NTMP operations might be\ninvoked from atomic context. After downstream support for all NTMP\ntables, no such usage has materialized. A mutex lock is now required\nbecause the driver now needs to reclaim used BDs and release associated\nDMA memory within the lock's context, while dma_free_coherent() might\nsleep.\n\n2. Introduce software command BD (struct netc_swcbd)\n\nThe hardware write-back overwrites the addr and len fields of the BD,\nso the driver cannot rely on the hardware BD to free the associated DMA\nmemory. The driver now maintains a software shadow BD storing the DMA\nbuffer pointer, DMA address, and size. And netc_xmit_ntmp_cmd() only\nreclaims older BDs when the number of used BDs reaches\nNETC_CBDR_CLEAN_WORK (16). The software BD enables correct DMA memory\nrelease. With this, struct ntmp_dma_buf and ntmp_free_data_mem() are no\nlonger needed and are removed.\n\n3. Require callers to hold ring_lock across netc_xmit_ntmp_cmd()\n\nnetc_xmit_ntmp_cmd() releases the ring_lock before the caller finishes\nconsuming the response. At this point, if a concurrent thread submits\na new command, it may trigger ntmp_clean_cbdr() and free the DMA buffer\nwhile it is still in use. Move ring_lock ownership to the caller to\nensure the response buffer cannot be reclaimed prematurely. So the\nhelpers ntmp_select_and_lock_cbdr() and ntmp_unlock_cbdr() are added.\n\nThese changes eliminate the DMA use-after-free condition and ensure safe\nand consistent BD reclamation and DMA buffer lifecycle management.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-06-26 20:17:23","updated_at":"2026-06-26 20:17:23"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/3cade698881eb238f88cbbfec82acc2110440a3f","name":"https://git.kernel.org/stable/c/3cade698881eb238f88cbbfec82acc2110440a3f","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/655d9ce9b1d3db0aa5271acb5e5101c66bd0d58b","name":"https://git.kernel.org/stable/c/655d9ce9b1d3db0aa5271acb5e5101c66bd0d58b","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/37c8933064be714ee672b0a0523c2fd045b73b3d","name":"https://git.kernel.org/stable/c/37c8933064be714ee672b0a0523c2fd045b73b3d","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-53300","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53300","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 4701073c3debd16d7f534f3eb808bd9b50601c0c 37c8933064be714ee672b0a0523c2fd045b73b3d git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 4701073c3debd16d7f534f3eb808bd9b50601c0c 655d9ce9b1d3db0aa5271acb5e5101c66bd0d58b git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 4701073c3debd16d7f534f3eb808bd9b50601c0c 3cade698881eb238f88cbbfec82acc2110440a3f git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.16","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.16 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.33 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.10 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/net/ethernet/freescale/enetc/ntmp.c","drivers/net/ethernet/freescale/enetc/ntmp_private.h","include/linux/fsl/ntmp.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"37c8933064be714ee672b0a0523c2fd045b73b3d","status":"affected","version":"4701073c3debd16d7f534f3eb808bd9b50601c0c","versionType":"git"},{"lessThan":"655d9ce9b1d3db0aa5271acb5e5101c66bd0d58b","status":"affected","version":"4701073c3debd16d7f534f3eb808bd9b50601c0c","versionType":"git"},{"lessThan":"3cade698881eb238f88cbbfec82acc2110440a3f","status":"affected","version":"4701073c3debd16d7f534f3eb808bd9b50601c0c","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/net/ethernet/freescale/enetc/ntmp.c","drivers/net/ethernet/freescale/enetc/ntmp_private.h","include/linux/fsl/ntmp.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.16"},{"lessThan":"6.16","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.33","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.10","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.33","versionStartIncluding":"6.16","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.10","versionStartIncluding":"6.16","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1","versionStartIncluding":"6.16","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: enetc: fix NTMP DMA use-after-free issue\n\nThe AI-generated review reported a potential DMA use-after-free issue\n[1]. If netc_xmit_ntmp_cmd() times out and returns an error, the pending\ncommand is not explicitly aborted, while ntmp_free_data_mem()\nunconditionally frees the DMA buffer. If the buffer has already been\nreallocated elsewhere, this may lead to silent memory corruption. Because\nthe hardware eventually processes the pending command and perform a DMA\nwrite of the response to the physical address of the freed buffer.\n\nTo resolve this issue, this patch does the following modifications:\n\n1. Convert cbdr->ring_lock from a spinlock to a mutex\n\nThe lock was originally a spinlock in case NTMP operations might be\ninvoked from atomic context. After downstream support for all NTMP\ntables, no such usage has materialized. A mutex lock is now required\nbecause the driver now needs to reclaim used BDs and release associated\nDMA memory within the lock's context, while dma_free_coherent() might\nsleep.\n\n2. Introduce software command BD (struct netc_swcbd)\n\nThe hardware write-back overwrites the addr and len fields of the BD,\nso the driver cannot rely on the hardware BD to free the associated DMA\nmemory. The driver now maintains a software shadow BD storing the DMA\nbuffer pointer, DMA address, and size. And netc_xmit_ntmp_cmd() only\nreclaims older BDs when the number of used BDs reaches\nNETC_CBDR_CLEAN_WORK (16). The software BD enables correct DMA memory\nrelease. With this, struct ntmp_dma_buf and ntmp_free_data_mem() are no\nlonger needed and are removed.\n\n3. Require callers to hold ring_lock across netc_xmit_ntmp_cmd()\n\nnetc_xmit_ntmp_cmd() releases the ring_lock before the caller finishes\nconsuming the response. At this point, if a concurrent thread submits\na new command, it may trigger ntmp_clean_cbdr() and free the DMA buffer\nwhile it is still in use. Move ring_lock ownership to the caller to\nensure the response buffer cannot be reclaimed prematurely. So the\nhelpers ntmp_select_and_lock_cbdr() and ntmp_unlock_cbdr() are added.\n\nThese changes eliminate the DMA use-after-free condition and ensure safe\nand consistent BD reclamation and DMA buffer lifecycle management."}],"providerMetadata":{"dateUpdated":"2026-06-26T19:40:57.186Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/37c8933064be714ee672b0a0523c2fd045b73b3d"},{"url":"https://git.kernel.org/stable/c/655d9ce9b1d3db0aa5271acb5e5101c66bd0d58b"},{"url":"https://git.kernel.org/stable/c/3cade698881eb238f88cbbfec82acc2110440a3f"}],"title":"net: enetc: fix NTMP DMA use-after-free issue","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-53300","datePublished":"2026-06-26T19:40:57.186Z","dateReserved":"2026-06-09T07:44:35.397Z","dateUpdated":"2026-06-26T19:40:57.186Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-26 20:17:23","lastModifiedDate":"2026-06-26 20:17:23","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"53300","Ordinal":"1","Title":"net: enetc: fix NTMP DMA use-after-free issue","CVE":"CVE-2026-53300","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"53300","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: enetc: fix NTMP DMA use-after-free issue\n\nThe AI-generated review reported a potential DMA use-after-free issue\n[1]. If netc_xmit_ntmp_cmd() times out and returns an error, the pending\ncommand is not explicitly aborted, while ntmp_free_data_mem()\nunconditionally frees the DMA buffer. If the buffer has already been\nreallocated elsewhere, this may lead to silent memory corruption. Because\nthe hardware eventually processes the pending command and perform a DMA\nwrite of the response to the physical address of the freed buffer.\n\nTo resolve this issue, this patch does the following modifications:\n\n1. Convert cbdr->ring_lock from a spinlock to a mutex\n\nThe lock was originally a spinlock in case NTMP operations might be\ninvoked from atomic context. After downstream support for all NTMP\ntables, no such usage has materialized. A mutex lock is now required\nbecause the driver now needs to reclaim used BDs and release associated\nDMA memory within the lock's context, while dma_free_coherent() might\nsleep.\n\n2. Introduce software command BD (struct netc_swcbd)\n\nThe hardware write-back overwrites the addr and len fields of the BD,\nso the driver cannot rely on the hardware BD to free the associated DMA\nmemory. The driver now maintains a software shadow BD storing the DMA\nbuffer pointer, DMA address, and size. And netc_xmit_ntmp_cmd() only\nreclaims older BDs when the number of used BDs reaches\nNETC_CBDR_CLEAN_WORK (16). The software BD enables correct DMA memory\nrelease. With this, struct ntmp_dma_buf and ntmp_free_data_mem() are no\nlonger needed and are removed.\n\n3. Require callers to hold ring_lock across netc_xmit_ntmp_cmd()\n\nnetc_xmit_ntmp_cmd() releases the ring_lock before the caller finishes\nconsuming the response. At this point, if a concurrent thread submits\na new command, it may trigger ntmp_clean_cbdr() and free the DMA buffer\nwhile it is still in use. Move ring_lock ownership to the caller to\nensure the response buffer cannot be reclaimed prematurely. So the\nhelpers ntmp_select_and_lock_cbdr() and ntmp_unlock_cbdr() are added.\n\nThese changes eliminate the DMA use-after-free condition and ensure safe\nand consistent BD reclamation and DMA buffer lifecycle management.","Type":"Description","Title":"net: enetc: fix NTMP DMA use-after-free issue"}]}}}