NVD

CVE-2026-53212 Detail

Received

This CVE record has recently been published to the CVE List and has been included within the NVD dataset.

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_tunnel: fix use-after-free on object destroy nft_tunnel_obj_destroy() calls metadata_dst_free() which directly kfree()s the metadata_dst, ignoring the dst_entry refcount. Packets that took a reference via dst_hold() in nft_tunnel_obj_eval() and are still queued (e.g. in a netem qdisc) are left with a dangling pointer. When these packets are eventually dequeued, dst_release() operates on freed memory. Replace metadata_dst_free() with dst_release() so the metadata_dst is freed only after all references are dropped. The dst subsystem already handles metadata_dst cleanup in dst_destroy() when DST_METADATA is set.

Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

CVSS 2.0 Severity and Vector Strings:

National Institute of Standards and Technology

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL	Source(s)	Tag(s)
https://git.kernel.org/stable/c/349df61526d2e39decc685d246202e3e284cfe05	kernel.org
https://git.kernel.org/stable/c/55b79b1ae42372012413ce0413181d26679b17ef	kernel.org
https://git.kernel.org/stable/c/5e9ee18b27fde88cb6148202b33916c66693fe82	kernel.org
https://git.kernel.org/stable/c/8767fe4079affa74314d7eb3220e700150289842	kernel.org
https://git.kernel.org/stable/c/941d7394efda5e054e2d6f3e0dd0f6a9ba19aaa3	kernel.org
https://git.kernel.org/stable/c/c32b26aaa2f9216520a38b3f4bfeec846eb3eb8a	kernel.org
https://git.kernel.org/stable/c/f9a0e4b61054cde89a2a77845293c726cc07cc43	kernel.org
https://git.kernel.org/stable/c/fda6573a46ad24f35348e024905ee5bdf729797e	kernel.org

Weakness Enumeration

CWE-ID	CWE Name	Source

Change History

1 change records found show changes

New CVE Received from kernel.org 6/25/2026 5:16:38 AM

Action	Type	New Value
Added	Description	In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_tunnel: fix use-after-free on object destroy nft_tunnel_obj_destroy() calls metadata_dst_free() which directly kfree()s the metadata_dst, ignoring the dst_entry refcount. Packets that took a reference via dst_hold() in nft_tunnel_obj_eval() and are still queued (e.g. in a netem qdisc) are left with a dangling pointer. When these packets are eventually dequeued, dst_release() operates on freed memory. Replace metadata_dst_free() with dst_release() so the metadata_dst is freed only after all references are dropped. The dst subsystem already handles metadata_dst cleanup in dst_destroy() when DST_METADATA is set.
Added	Reference	https://git.kernel.org/stable/c/349df61526d2e39decc685d246202e3e284cfe05
Added	Reference	https://git.kernel.org/stable/c/55b79b1ae42372012413ce0413181d26679b17ef
Added	Reference	https://git.kernel.org/stable/c/5e9ee18b27fde88cb6148202b33916c66693fe82
Added	Reference	https://git.kernel.org/stable/c/8767fe4079affa74314d7eb3220e700150289842
Added	Reference	https://git.kernel.org/stable/c/941d7394efda5e054e2d6f3e0dd0f6a9ba19aaa3
Added	Reference	https://git.kernel.org/stable/c/c32b26aaa2f9216520a38b3f4bfeec846eb3eb8a
Added	Reference	https://git.kernel.org/stable/c/f9a0e4b61054cde89a2a77845293c726cc07cc43
Added	Reference	https://git.kernel.org/stable/c/fda6573a46ad24f35348e024905ee5bdf729797e
Added	Affected	Record truncated, showing 2048 of 2465 characters. View Entire Change Record [{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["net/netfilter/nft_tunnel.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"af308b94a2a4a5a27bec9028354c4df444a7c8ba","lessThan":"349df61526d2e39decc685d246202e3e284cfe05","versionType":"git","status":"affected"},{"version":"af308b94a2a4a5a27bec9028354c4df444a7c8ba","lessThan":"55b79b1ae42372012413ce0413181d26679b17ef","versionType":"git","status":"affected"},{"version":"af308b94a2a4a5a27bec9028354c4df444a7c8ba","lessThan":"5e9ee18b27fde88cb6148202b33916c66693fe82","versionType":"git","status":"affected"},{"version":"af308b94a2a4a5a27bec9028354c4df444a7c8ba","lessThan":"8767fe4079affa74314d7eb3220e700150289842","versionType":"git","status":"affected"},{"version":"af308b94a2a4a5a27bec9028354c4df444a7c8ba","lessThan":"fda6573a46ad24f35348e024905ee5bdf729797e","versionType":"git","status":"affected"},{"version":"af308b94a2a4a5a27bec9028354c4df444a7c8ba","lessThan":"941d7394efda5e054e2d6f3e0dd0f6a9ba19aaa3","versionType":"git","status":"affected"},{"version":"af308b94a2a4a5a27bec9028354c4df444a7c8ba","lessThan":"f9a0e4b61054cde89a2a77845293c726cc07cc43","versionType":"git","status":"affected"},{"version":"af308b94a2a4a5a27bec9028354c4df444a7c8ba","lessThan":"c32b26aaa2f9216520a38b3f4bfeec846eb3eb8a","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["net/netfilter/nft_tunnel.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"4.19","status":"affected"},{"version":"0","lessThan":"4.19","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.","versionType":"semver","status":"unaffected"},{"version":"6.6.143","lessThanOrEqual":"6.6.","versionType"

Quick Info

CVE Dictionary Entry:
CVE-2026-53212
NVD Published Date:
06/25/2026
NVD Last Modified:
06/25/2026
Source:
kernel.org

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

CVE-2026-53212 Detail

Description

Metrics

References to Advisories, Solutions, and Tools

Weakness Enumeration

Change History

New CVE Received from kernel.org 6/25/2026 5:16:38 AM

Quick Info