CVE-2026-53247

In the Linux kernel, the following vulnerability has been resolved:

net: ethernet: mtk eth soc: Fix use-after-free in metadata dst teardown

mtk free dev() calls metadata dst free() which frees the metadata dst with kfree() immediately, bypassing the RCU grace period. In the RX path, skb dst set noref() sets a non-refcounted pointer from the skb to the metadata dst. This function requires RCU read-side protection and the dst must remain valid until all RCU readers complete. Since metadata dst free() calls kfree() directly, a use-after-free can occur if any skb still holds a noref pointer to the dst when the driver tears it down. Replace metadata dst free() with dst release() which properly goes through the refcount path: when the refcount drops to zero, it schedules the actual free via call rcu hurry(), ensuring all RCU readers have completed before the memory is freed.