ACK: [SRU][R/N/J][PATCH 0/3] CVE-2026-53212
Manuel Diewald
manuel.diewald at canonical.com
Thu Jul 16 15:36:23 UTC 2026
On Fri, Jul 10, 2026 at 11:59:33AM +0300, Cengiz Can via kernel-team wrote:
> https://ubuntu.com/security/CVE-2026-53212
>
> [ Impact ]
>
> nft_tunnel_obj_destroy() calls metadata_dst_free() which directly kfree()s the
> metadata_dst, ignoring the dst_entry refcount. Packets that took a reference
> via dst_hold() in nft_tunnel_obj_eval() and are still queued (e.g. in a netem
> qdisc) are left with a dangling pointer. When these packets are eventually
> dequeued, dst_release() operates on freed memory, resulting in a use-after-free
> that could lead to a crash or potential privilege escalation.
>
> [ Fix ]
>
> resolute: clean cherry-pick
> noble: clean cherry-pick
> jammy: clean cherry-pick
> focal: clean cherry-pick
>
> [ Test Plan ]
>
> Boot tested.
>
> [ Where Problems Could Occur ]
>
> A regression in this change would affect the netfilter nf_tables tunnel
> subsystem, potentially causing incorrect reference counting of metadata_dst
> objects, leading to memory leaks or premature frees during tunnel object
> destruction.
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Acked-by: Manuel Diewald <manuel.diewald at canonical.com>
--
Manuel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260716/5e37cc82/attachment.sig>
More information about the kernel-team
mailing list