Home

Description

In the Linux kernel, the following vulnerability has been resolved: net: ibm: emac: Fix use-after-free during device removal The driver was using devm_register_netdev() which causes unregister_netdev() to be deferred until the devres cleanup phase, which runs after emac_remove() returns. This creates a use-after-free window where: 1. emac_remove() is called, which tears down hardware (cancels work, detaches modules, unregisters from MAL) 2. emac_remove() returns 3. devres cleanup runs and finally calls unregister_netdev() During step 3, the network stack might still process packets, triggering emac_irq(), emac_poll(), or other handlers that access now-freed hardware resources (dev->emacp, dev->mal, etc.). Fix this by replacing devm_register_netdev() with manual register_netdev() and calling unregister_netdev() at the beginning of emac_remove(), before any hardware teardown. This ensures the network device is fully stopped and unregistered before hardware resources are released. The change is safe because: - dev->ndev is assigned very early in probe (before any error paths that could bypass emac_remove) - platform_set_drvdata() is only called after successful registration, so emac_remove() only runs for fully registered devices - unregister_netdev() is idempotent and safe to call on any registered device

PUBLISHED Reserved 2026-06-09 | Published 2026-06-25 | Updated 2026-06-25 | Assigner Linux

Product status

Default status
unaffected

a4dd8535a527061a01f2fd335596fa77ca240a96 (git) before cf8e14db93eaecc4c0c58299be3b3183b0e53ed5
affected

a4dd8535a527061a01f2fd335596fa77ca240a96 (git) before c09c2e236eef6f59e105f38a30f5439e6ccbcad7
affected

a4dd8535a527061a01f2fd335596fa77ca240a96 (git) before c12584cd6078085d707266be864e7e1cc91d74e3
affected

a4dd8535a527061a01f2fd335596fa77ca240a96 (git) before a0130d682222ae21afc395aead7cd2d87e1a8358
affected

Default status
affected

6.12
affected

Any version before 6.12
unaffected

6.12.94 (semver)
unaffected

6.18.36 (semver)
unaffected

7.0.13 (semver)
unaffected

7.1 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/cf8e14db93eaecc4c0c58299be3b3183b0e53ed5

git.kernel.org/...c/c09c2e236eef6f59e105f38a30f5439e6ccbcad7

git.kernel.org/...c/c12584cd6078085d707266be864e7e1cc91d74e3

git.kernel.org/...c/a0130d682222ae21afc395aead7cd2d87e1a8358

cve.org (CVE-2026-53234)

nvd.nist.gov (CVE-2026-53234)

Download JSON