APPLIED[N/J]/Cmnt: [SRU][R/N/J][PATCH 0/3] CVE-2026-53212

Stefan Bader stefan.bader at canonical.com
Fri Jul 17 10:03:23 UTC 2026


On 10/07/2026 10:59, Cengiz Can via kernel-team wrote:
> https://ubuntu.com/security/CVE-2026-53212
> 
> [ Impact ]
> 
> nft_tunnel_obj_destroy() calls metadata_dst_free() which directly kfree()s the
> metadata_dst, ignoring the dst_entry refcount. Packets that took a reference
> via dst_hold() in nft_tunnel_obj_eval() and are still queued (e.g. in a netem
> qdisc) are left with a dangling pointer. When these packets are eventually
> dequeued, dst_release() operates on freed memory, resulting in a use-after-free
> that could lead to a crash or potential privilege escalation.
> 
> [ Fix ]
> 
> resolute: clean cherry-pick
> noble: clean cherry-pick
> jammy: clean cherry-pick
> focal: clean cherry-pick
> 
> [ Test Plan ]
> 
> Boot tested.
> 
> [ Where Problems Could Occur ]
> 
> A regression in this change would affect the netfilter nf_tables tunnel
> subsystem, potentially causing incorrect reference counting of metadata_dst
> objects, leading to memory leaks or premature frees during tunnel object
> destruction.
> 

Applied to noble,jammy:linux/master-next. Resolute was already applied 
via stable (updated msg now includes CVE). Thanks.

-Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 52669 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260717/80e69017/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260717/80e69017/attachment-0001.sig>


More information about the kernel-team mailing list