{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-53097","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-06-09T07:44:35.384Z","datePublished":"2026-06-24T16:30:35.223Z","dateUpdated":"2026-06-24T16:30:35.223Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-06-24T16:30:35.223Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work()\n\nWhen the mt7996 pci chip is detaching, the mt7996_crash_data is\nreleased in mt7996_coredump_unregister(). However, the work item\ndump_work may still be running or pending, leading to UAF bugs\nwhen the already freed crash_data is dereferenced again in\nmt7996_mac_dump_work().\n\nThe race condition can occur as follows:\n\nCPU 0 (removal path)               | CPU 1 (workqueue)\nmt7996_pci_remove()                | mt7996_sys_recovery_set()\n mt7996_unregister_device()        |  mt7996_reset()\n  mt7996_coredump_unregister()     |   queue_work()\n   vfree(dev->coredump.crash_data) | mt7996_mac_dump_work()\n                                   |  crash_data-> // UAF\n\nFix this by ensuring dump_work is properly canceled before\nthe crash_data is deallocated. Add cancel_work_sync() in\nmt7996_unregister_device() to synchronize with any pending\nor executing dump work."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/wireless/mediatek/mt76/mt7996/init.c"],"versions":[{"version":"878161d5d4a469a6ef7f3fb4fe9f676bc508ee99","lessThan":"180182a3f23ff79430a32ca2c4c1885368ceab48","status":"affected","versionType":"git"},{"version":"878161d5d4a469a6ef7f3fb4fe9f676bc508ee99","lessThan":"aa4a31cd89f4fde5043ac613fe0e27014a60a60b","status":"affected","versionType":"git"},{"version":"878161d5d4a469a6ef7f3fb4fe9f676bc508ee99","lessThan":"188e10f9ea3109d23c6b7643aa6ec2f5cb0faa6d","status":"affected","versionType":"git"},{"version":"878161d5d4a469a6ef7f3fb4fe9f676bc508ee99","lessThan":"c8f62f73bbced3a79894655bdb0b625462d956fc","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/wireless/mediatek/mt76/mt7996/init.c"],"versions":[{"version":"6.4","status":"affected"},{"version":"0","lessThan":"6.4","status":"unaffected","versionType":"semver"},{"version":"6.12.91","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.33","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4","versionEndExcluding":"6.12.91"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4","versionEndExcluding":"6.18.33"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4","versionEndExcluding":"7.0.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4","versionEndExcluding":"7.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/180182a3f23ff79430a32ca2c4c1885368ceab48"},{"url":"https://git.kernel.org/stable/c/aa4a31cd89f4fde5043ac613fe0e27014a60a60b"},{"url":"https://git.kernel.org/stable/c/188e10f9ea3109d23c6b7643aa6ec2f5cb0faa6d"},{"url":"https://git.kernel.org/stable/c/c8f62f73bbced3a79894655bdb0b625462d956fc"}],"title":"wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work()","x_generator":{"engine":"bippy-1.2.0"}}}}