[SRU][R/N/J][PATCH 0/3] CVE-2026-53212

Cengiz Can cengiz.can at canonical.com
Fri Jul 10 08:59:33 UTC 2026


https://ubuntu.com/security/CVE-2026-53212

[ Impact ]

nft_tunnel_obj_destroy() calls metadata_dst_free() which directly kfree()s the
metadata_dst, ignoring the dst_entry refcount. Packets that took a reference
via dst_hold() in nft_tunnel_obj_eval() and are still queued (e.g. in a netem
qdisc) are left with a dangling pointer. When these packets are eventually
dequeued, dst_release() operates on freed memory, resulting in a use-after-free
that could lead to a crash or potential privilege escalation.

[ Fix ]

resolute: clean cherry-pick
noble: clean cherry-pick
jammy: clean cherry-pick
focal: clean cherry-pick

[ Test Plan ]

Boot tested.

[ Where Problems Could Occur ]

A regression in this change would affect the netfilter nf_tables tunnel
subsystem, potentially causing incorrect reference counting of metadata_dst
objects, leading to memory leaks or premature frees during tunnel object
destruction.



More information about the kernel-team mailing list