CVE-2026-52982 - Vulnerability Details

Vendors	Products
Linux	Linux Kernel

Link	Providers
https://git.kernel.org/stable/c/23f0e34c64acba15cad4d23e50f41f533da195fa
https://git.kernel.org/stable/c/24831b0b2ada9fef18d1f486b7b7c444ee5ba637
https://git.kernel.org/stable/c/30cf9829d09ca958279c937af8e35495cd2f1e09
https://git.kernel.org/stable/c/423b5b86e14e190f6e3161eb5f2ea5f908295ba7
https://git.kernel.org/stable/c/4dd7eb94f79486b77ca6b4c8676aedbc465dc802
https://git.kernel.org/stable/c/5af290c86fa81ddbc86a08d54229af5daa40c6a4
https://git.kernel.org/stable/c/5db090ca07b28a63fb1499690cf19a3f3adafacb
https://git.kernel.org/stable/c/6999d70e0eda39af029fa1891c48f0a8832b09d5

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit() syzbot reported a KASAN slab-use-after-free read in rtl8150_start_xmit() when accessing skb->len for tx statistics after usb_submit_urb() has been called: BUG: KASAN: slab-use-after-free in rtl8150_start_xmit+0x71f/0x760 drivers/net/usb/rtl8150.c:712 Read of size 4 at addr ffff88810eb7a930 by task kworker/0:4/5226 The URB completion handler write_bulk_callback() frees the skb via dev_kfree_skb_irq(dev->tx_skb). The URB may complete on another CPU in softirq context before usb_submit_urb() returns in the submitter, so by the time the submitter reads skb->len the skb has already been queued to the per-CPU completion_queue and freed by net_tx_action(): CPU A (xmit) CPU B (USB completion softirq) ------------ ------------------------------ dev->tx_skb = skb; usb_submit_urb() --+ \|-------> write_bulk_callback() \| dev_kfree_skb_irq(dev->tx_skb) \| net_tx_action() \| napi_skb_cache_put() <-- free netdev->stats.tx_bytes \| += skb->len; <-- UAF read Fix it by caching skb->len before submitting the URB and using the cached value when updating the tx_bytes counter. The pre-existing tx_bytes semantics are preserved: the counter tracks the original frame length (skb->len), not the ETH_ZLEN/USB-alignment padded "count" value that is handed to the device. Changing that would be a user-visible accounting change and is out of scope for this UAF fix.
Title		net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/23f0e34c64acba15cad4d23e50f41f533da195fa https://git.kernel.org/stable/c/24831b0b2ada9fef18d1f486b7b7c444ee5ba637 https://git.kernel.org/stable/c/30cf9829d09ca958279c937af8e35495cd2f1e09 https://git.kernel.org/stable/c/423b5b86e14e190f6e3161eb5f2ea5f908295ba7 https://git.kernel.org/stable/c/4dd7eb94f79486b77ca6b4c8676aedbc465dc802 https://git.kernel.org/stable/c/5af290c86fa81ddbc86a08d54229af5daa40c6a4 https://git.kernel.org/stable/c/5db090ca07b28a63fb1499690cf19a3f3adafacb https://git.kernel.org/stable/c/6999d70e0eda39af029fa1891c48f0a8832b09d5

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-52982", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-06-09T07:44:35.376Z", "datePublished": "2026-06-24T16:28:57.763Z", "dateUpdated": "2026-06-24T16:28:57.763Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-06-24T16:28:57.763Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()\n\nsyzbot reported a KASAN slab-use-after-free read in rtl8150_start_xmit()\nwhen accessing skb->len for tx statistics after usb_submit_urb() has\nbeen called:\n\n BUG: KASAN: slab-use-after-free in rtl8150_start_xmit+0x71f/0x760\n drivers/net/usb/rtl8150.c:712\n Read of size 4 at addr ffff88810eb7a930 by task kworker/0:4/5226\n\nThe URB completion handler write_bulk_callback() frees the skb via\ndev_kfree_skb_irq(dev->tx_skb). The URB may complete on another CPU\nin softirq context before usb_submit_urb() returns in the submitter,\nso by the time the submitter reads skb->len the skb has already been\nqueued to the per-CPU completion_queue and freed by net_tx_action():\n\n CPU A (xmit) CPU B (USB completion softirq)\n ------------ ------------------------------\n dev->tx_skb = skb;\n usb_submit_urb() --+\n |-------> write_bulk_callback()\n | dev_kfree_skb_irq(dev->tx_skb)\n | net_tx_action()\n | napi_skb_cache_put() <-- free\n netdev->stats.tx_bytes |\n += skb->len; <-- UAF read\n\nFix it by caching skb->len before submitting the URB and using the\ncached value when updating the tx_bytes counter.\n\nThe pre-existing tx_bytes semantics are preserved: the counter tracks\nthe original frame length (skb->len), not the ETH_ZLEN/USB-alignment\npadded \"count\" value that is handed to the device. Changing that\nwould be a user-visible accounting change and is out of scope for\nthis UAF fix."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/usb/rtl8150.c"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "5af290c86fa81ddbc86a08d54229af5daa40c6a4", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "24831b0b2ada9fef18d1f486b7b7c444ee5ba637", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "423b5b86e14e190f6e3161eb5f2ea5f908295ba7", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "5db090ca07b28a63fb1499690cf19a3f3adafacb", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "30cf9829d09ca958279c937af8e35495cd2f1e09", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "6999d70e0eda39af029fa1891c48f0a8832b09d5", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "4dd7eb94f79486b77ca6b4c8676aedbc465dc802", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "23f0e34c64acba15cad4d23e50f41f533da195fa", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/usb/rtl8150.c"], "versions": [{"version": "2.6.12", "status": "affected"}, {"version": "0", "lessThan": "2.6.12", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.258", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.209", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.175", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.141", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.91", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.33", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.10", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "5.10.258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "5.15.209"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "6.1.175"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "6.6.141"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "6.12.91"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "6.18.33"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "7.0.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "7.1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5af290c86fa81ddbc86a08d54229af5daa40c6a4"}, {"url": "https://git.kernel.org/stable/c/24831b0b2ada9fef18d1f486b7b7c444ee5ba637"}, {"url": "https://git.kernel.org/stable/c/423b5b86e14e190f6e3161eb5f2ea5f908295ba7"}, {"url": "https://git.kernel.org/stable/c/5db090ca07b28a63fb1499690cf19a3f3adafacb"}, {"url": "https://git.kernel.org/stable/c/30cf9829d09ca958279c937af8e35495cd2f1e09"}, {"url": "https://git.kernel.org/stable/c/6999d70e0eda39af029fa1891c48f0a8832b09d5"}, {"url": "https://git.kernel.org/stable/c/4dd7eb94f79486b77ca6b4c8676aedbc465dc802"}, {"url": "https://git.kernel.org/stable/c/23f0e34c64acba15cad4d23e50f41f533da195fa"}], "title": "net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()", "x_generator": {"engine": "bippy-1.2.0"}}}}

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object