{"cve":{"cve_id":"CVE-2026-53300","is_kev":false,"kev_date_added":null,"kev_vendor_project":null,"kev_product":null,"kev_vulnerability_name":null,"kev_short_description":null,"kev_required_action":null,"kev_due_date":null,"kev_known_ransomware":null,"kev_notes":null,"kev_cwes":null,"epss_score":null,"epss_percentile":null,"epss_as_of":null,"description":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: enetc: fix NTMP DMA use-after-free issue\n\nThe AI-generated review reported a potential DMA use-after-free issue\n[1]. If netc_xmit_ntmp_cmd() times out and returns an error, the pending\ncommand is not explicitly aborted, while ntmp_free_data_mem()\nunconditionally frees the DMA buffer. If the buffer has already been\nreallocated elsewhere, this may lead to silent memory corruption. Because\nthe hardware eventually processes the pending command and perform a DMA\nwrite of the response to the physical address of the freed buffer.\n\nTo resolve this issue, this patch does the following modifications:\n\n1. Convert cbdr->ring_lock from a spinlock to a mutex\n\nThe lock was originally a spinlock in case NTMP operations might be\ninvoked from atomic context. After downstream support for all NTMP\ntables, no such usage has materialized. A mutex lock is now required\nbecause the driver now needs to reclaim used BDs and release associated\nDMA memory within the lock's context, while dma_free_coherent() might\nsleep.\n\n2. Introduce software command BD (struct netc_swcbd)\n\nThe hardware write-back overwrites the addr and len fields of the BD,\nso the driver cannot rely on the hardware BD to free the associated DMA\nmemory. The driver now maintains a software shadow BD storing the DMA\nbuffer pointer, DMA address, and size. And netc_xmit_ntmp_cmd() only\nreclaims older BDs when the number of used BDs reaches\nNETC_CBDR_CLEAN_WORK (16). The software BD enables correct DMA memory\nrelease. With this, struct ntmp_dma_buf and ntmp_free_data_mem() are no\nlonger needed and are removed.\n\n3. Require callers to hold ring_lock across netc_xmit_ntmp_cmd()\n\nnetc_xmit_ntmp_cmd() releases the ring_lock before the caller finishes\nconsuming the response. At this point, if a concurrent thread submits\na new command, it may trigger ntmp_clean_cbdr() and free the DMA buffer\nwhile it is still in use. Move ring_lock ownership to the caller to\nensure the response buffer cannot be reclaimed prematurely. So the\nhelpers ntmp_select_and_lock_cbdr() and ntmp_unlock_cbdr() are added.\n\nThese changes eliminate the DMA use-after-free condition and ensure safe\nand consistent BD reclamation and DMA buffer lifecycle management.","published_at":"2026-06-26T19:40:57.186000Z","last_modified_at":null,"cvss_v3_score":7.8,"cvss_v3_vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","cvss_v3_severity":"HIGH","cvss_v4_score":null,"cvss_v4_vector":null,"cvss_v4_severity":null,"ssvc_decision":null,"ssvc_exploitation":null,"ssvc_automatable":null,"ssvc_technical_impact":null,"cwes":null,"nvd_references":["https://git.kernel.org/stable/c/37c8933064be714ee672b0a0523c2fd045b73b3d","https://git.kernel.org/stable/c/655d9ce9b1d3db0aa5271acb5e5101c66bd0d58b","https://git.kernel.org/stable/c/3cade698881eb238f88cbbfec82acc2110440a3f"],"vuln_status":null,"trending_score":null,"is_trending":false,"has_trended":false,"trended_number_one":false,"trending_peak_score":null,"trending_peak_rank":null,"started_trending_at":null,"trended_number_one_at":null,"summary_generated":null,"summary_generated_at":null,"summary_model":null,"created_at":"2026-06-28T17:55:28.590503Z","updated_at":"2026-06-28T23:30:52.348775Z"},"effective_severity":"HIGH","badges":[],"impact_analysis":[],"cvss_v3_decoded":{"version":"3.1","metrics":[{"metric":"AV","name":"Attack Vector","value":"L","value_label":"Local"},{"metric":"AC","name":"Attack Complexity","value":"L","value_label":"Low"},{"metric":"PR","name":"Privileges Required","value":"L","value_label":"Low"},{"metric":"UI","name":"User Interaction","value":"N","value_label":"None"},{"metric":"S","name":"Scope","value":"U","value_label":"Unchanged"},{"metric":"C","name":"Confidentiality","value":"H","value_label":"High"},{"metric":"I","name":"Integrity","value":"H","value_label":"High"},{"metric":"A","name":"Availability","value":"H","value_label":"High"}]},"cvss_v4_decoded":{"version":null,"metrics":[]},"affected":[{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"4701073c3debd16d7f534f3eb808bd9b50601c0c","version_start_inclusive":true,"version_end":"37c8933064be714ee672b0a0523c2fd045b73b3d","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:4701073c3debd16d7f534f3eb808bd9b50601c0c:37c8933064be714ee672b0a0523c2fd045b73b3d"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"4701073c3debd16d7f534f3eb808bd9b50601c0c","version_start_inclusive":true,"version_end":"655d9ce9b1d3db0aa5271acb5e5101c66bd0d58b","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:4701073c3debd16d7f534f3eb808bd9b50601c0c:655d9ce9b1d3db0aa5271acb5e5101c66bd0d58b"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"4701073c3debd16d7f534f3eb808bd9b50601c0c","version_start_inclusive":true,"version_end":"3cade698881eb238f88cbbfec82acc2110440a3f","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:4701073c3debd16d7f534f3eb808bd9b50601c0c:3cade698881eb238f88cbbfec82acc2110440a3f"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"6.16","version_start_inclusive":true,"version_end":"6.16","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:6.16:6.16"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"0","version_start_inclusive":true,"version_end":"6.16","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:0:6.16"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"6.18.33","version_start_inclusive":true,"version_end":"6.18.*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:6.18.33:6.18.*"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"7.0.10","version_start_inclusive":true,"version_end":"7.0.*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:7.0.10:7.0.*"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"7.1","version_start_inclusive":true,"version_end":"*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:7.1:*"}],"exploit_refs":[],"news":[],"references":[{"url":"https://git.kernel.org/stable/c/37c8933064be714ee672b0a0523c2fd045b73b3d","source_type":"MISC","tags":[]},{"url":"https://git.kernel.org/stable/c/655d9ce9b1d3db0aa5271acb5e5101c66bd0d58b","source_type":"MISC","tags":[]},{"url":"https://git.kernel.org/stable/c/3cade698881eb238f88cbbfec82acc2110440a3f","source_type":"MISC","tags":[]}],"timeline":[{"type":"published","at":"2026-06-26T19:40:57.186000Z","label":"CVE published","source":null}]}