ACK/Cmnt: [SRU][R/N/J][PATCH 0/3] CVE-2026-53212

Alessio Faina alessio.faina at canonical.com
Wed Jul 15 13:40:30 UTC 2026


On Fri, Jul 10, 2026 at 11:59:33AM +0300, Cengiz Can via kernel-team wrote:
> https://ubuntu.com/security/CVE-2026-53212
> 
> [ Impact ]
> 
> nft_tunnel_obj_destroy() calls metadata_dst_free() which directly kfree()s the
> metadata_dst, ignoring the dst_entry refcount. Packets that took a reference
> via dst_hold() in nft_tunnel_obj_eval() and are still queued (e.g. in a netem
> qdisc) are left with a dangling pointer. When these packets are eventually
> dequeued, dst_release() operates on freed memory, resulting in a use-after-free
> that could lead to a crash or potential privilege escalation.
> 
> [ Fix ]
> 
> resolute: clean cherry-pick
> noble: clean cherry-pick
> jammy: clean cherry-pick
> focal: clean cherry-pick
> 
> [ Test Plan ]
> 
> Boot tested.
> 
> [ Where Problems Could Occur ]
> 
> A regression in this change would affect the netfilter nf_tables tunnel
> subsystem, potentially causing incorrect reference counting of metadata_dst
> objects, leading to memory leaks or premature frees during tunnel object
> destruction.
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Patch for Resolute is not needed as it has been pulled in with the merge
with Upstream stable to v7.0.12

Acked-by: Alessio Faina <alessio.faina at canonical.com>



More information about the kernel-team mailing list