Skip to main content

Linux Kernel CVE-2026-43203

| EUVDEUVD-2026-27764 HIGH
Use After Free (CWE-416)
2026-05-06 Linux GHSA-864f-qffm-34wc
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:37 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.5 (HIGH)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:28 nvd
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

atm: fore200e: fix use-after-free in tasklets during device removal

When the PCA-200E or SBA-200E adapter is being detached, the fore200e is deallocated. However, the tx_tasklet or rx_tasklet may still be running or pending, leading to use-after-free bug when the already freed fore200e is accessed again in fore200e_tx_tasklet() or fore200e_rx_tasklet().

One of the race conditions can occur as follows:

CPU 0 (cleanup) | CPU 1 (tasklet) fore200e_pca_remove_one() | fore200e_interrupt() fore200e_shutdown() | tasklet_schedule() kfree(fore200e) | fore200e_tx_tasklet()

| fore200e-> // UAF Fix this by ensuring tx_tasklet or rx_tasklet is properly canceled before the fore200e is released. Add tasklet_kill() in fore200e_shutdown() to synchronize with any pending or running tasklets. Moreover, since fore200e_reset() could prevent further interrupts or data transfers, the tasklet_kill() should be placed after fore200e_reset() to prevent the tasklet from being rescheduled in fore200e_interrupt(). Finally, it only needs to do tasklet_kill() when the fore200e state is greater than or equal to FORE200E_STATE_IRQ, since tasklets are uninitialized in earlier states. In a word, the tasklet_kill() should be placed in the FORE200E_STATE_IRQ branch within the switch...case structure.

This bug was identified through static analysis.

AnalysisAI

Use-after-free in Linux kernel fore200e ATM driver allows local attackers to achieve high-severity impacts during PCA-200E or SBA-200E adapter removal. When the device is detached, tx_tasklet or rx_tasklet may still be running and access already-freed memory in fore200e_tx_tasklet() or fore200e_rx_tasklet(), potentially leading to code execution, information disclosure, or denial of service. Patches available across stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability. Not listed in CISA KEV. Identified through static analysis, suggesting no active in-the-wild exploitation at time of disclosure.

Technical ContextAI

This vulnerability affects the fore200e driver (drivers/atm/fore200e.c) for FORE Systems PCA-200E and SBA-200E ATM (Asynchronous Transfer Mode) network adapters in the Linux kernel. The issue stems from improper synchronization between device removal cleanup code and asynchronous tasklet execution. Tasklets are a kernel mechanism for deferred bottom-half interrupt processing. When fore200e_pca_remove_one() calls fore200e_shutdown() and immediately frees the fore200e structure via kfree(), concurrent tasklets scheduled by fore200e_interrupt() can still execute on another CPU core and dereference the freed memory. The affected code exists since the driver's initial introduction in kernel 2.6.12 (commit 1da177e4c3f4). The CPE identifiers cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* indicate broad Linux kernel scope. While no specific CWE is assigned, this is a classic CWE-416 (Use After Free) concurrency bug requiring race condition exploitation during device hotplug or module unload operations.

RemediationAI

Primary remediation is upgrading to patched kernel versions: 5.10.252+ for 5.10.x series, 5.15.202+ for 5.15.x, 6.1.165+ for 6.1.x LTS, 6.6.128+ for 6.6.x, 6.12.75+ for 6.12.x, 6.18.16+ for 6.18.x, 6.19.6+ for 6.19.x, or 7.0+ for mainline. Patches available from kernel.org stable tree (see references at https://git.kernel.org/stable/c/aba0b4bc09376dfc3d53c826514fe38fc8337f52 and related commits). The fix adds tasklet_kill() calls in fore200e_shutdown() after fore200e_reset() within the FORE200E_STATE_IRQ state branch to ensure tasklets complete before memory deallocation. For systems unable to immediately patch, compensating controls include: (1) Blacklist the fore200e kernel module (add 'blacklist fore200e' to /etc/modprobe.d/blacklist.conf) if ATM hardware is unused - eliminates attack surface entirely with no performance impact. (2) Disable hotplug of PCI ATM adapters via udev rules to prevent removal-triggered race condition - limits operational flexibility for hardware maintenance. (3) Restrict CAP_SYS_MODULE capability to prevent unauthorized module unloading - applies defense-in-depth but doesn't prevent race during legitimate removals. Priority should be given to patching over workarounds as this is a kernel-level memory safety issue. Verify patch application by checking kernel version (uname -r) matches patched release and reviewing dmesg during device operations for absence of use-after-free warnings.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43203 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy