CVE-2026-53212

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft tunnel: fix use-after-free on object destroy

nft tunnel obj destroy() calls metadata dst free() which directly kfree()s the metadata dst, ignoring the dst entry refcount. Packets that took a reference via dst hold() in nft tunnel obj eval() and are still queued (e.g. in a netem qdisc) are left with a dangling pointer. When these packets are eventually dequeued, dst release() operates on freed memory.

Replace metadata dst free() with dst release() so the metadata dst is freed only after all references are dropped. The dst subsystem already handles metadata dst cleanup in dst destroy() when DST METADATA is set.