Skip to main content

Linux Kernel CVE-2026-43149

| EUVDEUVD-2026-27710 MEDIUM
2026-05-06 Linux GHSA-c68r-r9r9-c6jp
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 11:59 vuln.today
CVSS changed
May 13, 2026 - 20:22 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:27 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: wan/fsl_ucc_hdlc: Fix dma_free_coherent() in uhdlc_memclean()

The priv->rx_buffer and priv->tx_buffer are alloc'd together as contiguous buffers in uhdlc_init() but freed as two buffers in uhdlc_memclean().

Change the cleanup to only call dma_free_coherent() once on the whole buffer.

AnalysisAI

Incorrect DMA buffer cleanup in the Linux kernel's fsl_ucc_hdlc WAN driver (used on Freescale/NXP QorIQ embedded platforms) causes a double-free of coherent DMA memory, resulting in a kernel panic and system crash. The driver allocates rx_buffer and tx_buffer as a single contiguous DMA region in uhdlc_init() but mistakenly calls dma_free_coherent() twice - once per buffer pointer - in uhdlc_memclean(), corrupting the DMA allocator state. Any authenticated local user or kernel path that triggers interface teardown on affected hardware can cause a complete availability loss. No public exploit identified at time of analysis, and EPSS at 0.02% (7th percentile) reflects near-zero opportunistic exploitation probability given the narrow hardware scope.

Technical ContextAI

The vulnerability resides in drivers/net/wan/fsl_ucc_hdlc.c, the Freescale Universal Communication Controller (UCC) HDLC WAN driver used on QorIQ and PowerPC SoC platforms. The root cause is improper DMA resource lifecycle management: uhdlc_init() allocates a single contiguous coherent DMA buffer and assigns pointers priv->rx_buffer and priv->tx_buffer into different offsets of that allocation. The cleanup routine uhdlc_memclean() then calls dma_free_coherent() independently on each pointer, which constitutes a double-free of overlapping DMA memory - the first call frees the entire allocation, and the second call attempts to free a pointer into already-freed memory. While no CWE is formally assigned in the NVD entry, this maps closest to CWE-415 (Double Free) or CWE-762 (Mismatched Memory Management Routines) in DMA context. The CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H accurately reflects a local, low-complexity crash condition with no confidentiality or integrity impact. The 'Information Disclosure' tag appears to be a tagging artifact - the CVSS explicitly assigns C:N, and the fix description supports a pure availability impact. Affected CPE: cpe:2.3:a:linux:linux across multiple stable branches since the vulnerability was introduced at commit c19b6d246a35627c3a69b2fa6bdece212b48214b (Linux 4.8).

RemediationAI

The primary fix is to upgrade to a patched Linux kernel version. Upstream stable fixes are available at the following commits: 6496fb830cbb (5.10 branch), ba8d8429e5d6 (5.15 branch), 84b932bc9899 (6.1 branch), d8a522085d09 (6.6 branch), 011ae5dd84dc (6.12 branch), 36bd7d5deef9 (6.18 branch), 0f85a9655445 (6.19 branch), and d68994e37ac3 (7.0 branch), all available at https://git.kernel.org/stable/c/. Patched releases per EUVD data are: 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and 7.0. Distribution users should apply updates from Red Hat or SUSE once backported packages are released. If patching is not immediately possible on QorIQ systems, a viable compensating control is to prevent unloading or resetting the fsl_ucc_hdlc driver module by restricting CAP_NET_ADMIN and module management to root-only contexts and ensuring the network interface is not brought down unnecessarily - this avoids triggering the cleanup path. Note that this workaround does not eliminate the bug and is not a substitute for patching.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43149 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy