Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-53300— net: enetc: fix NTMP DMA use-after-free issue

CVSS 7.8 · High EPSS 0.12% · P3

Possible ATT&CK Techniques 1AI

T1499 · Endpoint Denial of Service

Affected Version Matrix 8

VendorProductVersion RangeStatus
LinuxLinux4701073c3debd16d7f534f3eb808bd9b50601c0c< 37c8933064be714ee672b0a0523c2fd045b73b3daffected
4701073c3debd16d7f534f3eb808bd9b50601c0c< 655d9ce9b1d3db0aa5271acb5e5101c66bd0d58baffected
4701073c3debd16d7f534f3eb808bd9b50601c0c< 3cade698881eb238f88cbbfec82acc2110440a3faffected
6.16affected
< 6.16unaffected
6.18.33≤ 6.18.*unaffected
7.0.10≤ 7.0.*unaffected
7.1≤ *unaffected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-53300

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
net: enetc: fix NTMP DMA use-after-free issue
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: net: enetc: fix NTMP DMA use-after-free issue The AI-generated review reported a potential DMA use-after-free issue [1]. If netc_xmit_ntmp_cmd() times out and returns an error, the pending command is not explicitly aborted, while ntmp_free_data_mem() unconditionally frees the DMA buffer. If the buffer has already been reallocated elsewhere, this may lead to silent memory corruption. Because the hardware eventually processes the pending command and perform a DMA write of the response to the physical address of the freed buffer. To resolve this issue, this patch does the following modifications: 1. Convert cbdr->ring_lock from a spinlock to a mutex The lock was originally a spinlock in case NTMP operations might be invoked from atomic context. After downstream support for all NTMP tables, no such usage has materialized. A mutex lock is now required because the driver now needs to reclaim used BDs and release associated DMA memory within the lock's context, while dma_free_coherent() might sleep. 2. Introduce software command BD (struct netc_swcbd) The hardware write-back overwrites the addr and len fields of the BD, so the driver cannot rely on the hardware BD to free the associated DMA memory. The driver now maintains a software shadow BD storing the DMA buffer pointer, DMA address, and size. And netc_xmit_ntmp_cmd() only reclaims older BDs when the number of used BDs reaches NETC_CBDR_CLEAN_WORK (16). The software BD enables correct DMA memory release. With this, struct ntmp_dma_buf and ntmp_free_data_mem() are no longer needed and are removed. 3. Require callers to hold ring_lock across netc_xmit_ntmp_cmd() netc_xmit_ntmp_cmd() releases the ring_lock before the caller finishes consuming the response. At this point, if a concurrent thread submits a new command, it may trigger ntmp_clean_cbdr() and free the DMA buffer while it is still in use. Move ring_lock ownership to the caller to ensure the response buffer cannot be reclaimed prematurely. So the helpers ntmp_select_and_lock_cbdr() and ntmp_unlock_cbdr() are added. These changes eliminate the DMA use-after-free condition and ensure safe and consistent BD reclamation and DMA buffer lifecycle management.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会开源的操作系统Linux所使用的内核。 Linux kernel 6.16之前版本存在安全漏洞,该漏洞源于NTMP DMA释放后重用问题,可能导致内存损坏。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 4701073c3debd16d7f534f3eb808bd9b50601c0c ~ 37c8933064be714ee672b0a0523c2fd045b73b3d -
LinuxLinux 6.16 -

II. Public POCs for CVE-2026-53300

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-53300

登录查看更多情报信息。

Patches & Fixes for CVE-2026-53300 (3)

Same Patch Batch · Linux · 2026-06-26 · 47 CVEs total

CVE-2026-533099.8 CRITICALocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison
CVE-2026-533228.8 HIGHvfio/pci: Clean up DMABUFs before disabling function
CVE-2026-532818.8 HIGHiommu/vt-d: Avoid NULL pointer dereference or refcount corruption
CVE-2026-532907.8 HIGHdrm/xe/eustall: Fix drm_dev_put called before stream disable in close
CVE-2026-532847.5 HIGHbtrfs: only release the dirty pages io tree after successful writes
CVE-2026-53291ALSA: hda/conexant: Fix missing error check for jack detection
CVE-2026-53286idpf: fix double free and use-after-free in aux device error paths
CVE-2026-53282x86/kexec: Push kjump return address even for non-kjump kexec
CVE-2026-53280iommu: Fix NULL group->domain dereference in pci_dev_reset_iommu_done()
CVE-2026-53279drm/gma500/oaktrail_lvds: fix hang on init failure
CVE-2026-53278arm_mpam: Check whether the config array is allocated before destroying it
CVE-2026-53283iommu/amd: Bounds-check devid in __rlookup_amd_iommu()
CVE-2026-53292net: phonet: do not BUG_ON() in pn_socket_autobind() on failed bind
CVE-2026-53289ice: fix NULL pointer dereference in ice_reset_all_vfs()
CVE-2026-53293drm/amdgpu: fix AMDGPU_INFO_READ_MMR_REG
CVE-2026-53294mailbox: mailbox-test: don't free the reused channel
CVE-2026-53295mailbox: add sanity check for channel array
CVE-2026-53296mailbox: mailbox-test: free channels on probe error
CVE-2026-53297net: mana: Guard mana_remove against double invocation
CVE-2026-53298net: airoha: Move ndesc initialization at end of airoha_qdma_init_rx_queue()

Showing top 20 of 47 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

V. Comments for CVE-2026-53300

No comments yet


Leave a comment