Skip to main content

Linux Kernel ec_bhf driver CVE-2026-43283

| EUVDEUVD-2026-27678 HIGH
2026-05-06 Linux GHSA-593c-jfqg-mjgp
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:46 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
8.8 (HIGH)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:29 nvd
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: ethernet: ec_bhf: Fix dma_free_coherent() dma handle

dma_free_coherent() in error path takes priv->rx_buf.alloc_len as the dma handle. This would lead to improper unmapping of the buffer.

Change the dma handle to priv->rx_buf.alloc_phys.

AnalysisAI

Improper DMA buffer unmapping in the Linux kernel ec_bhf Ethernet driver allows local authenticated attackers with low privileges to trigger memory corruption, potentially achieving arbitrary code execution, information disclosure, or denial of service with container escape capability (scope change). The vulnerability exists in error path handling where dma_free_coherent() receives the wrong DMA handle parameter (alloc_len instead of alloc_phys), causing incorrect buffer unmapping. Patches available across multiple stable kernel versions (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (7th percentile) indicates very low probability of exploitation in the wild, and no public exploit identified at time of analysis.

Technical ContextAI

The ec_bhf driver provides Ethernet support for Beckhoff CCAT FPGA devices in the Linux kernel. The vulnerability affects DMA (Direct Memory Access) buffer management specifically in error handling paths. When dma_alloc_coherent() allocates memory, it returns both a virtual address and a physical DMA handle (alloc_phys). The corresponding dma_free_coherent() must receive the correct physical handle to properly unmap the buffer from the IOMMU and release DMA resources. The buggy code incorrectly passes priv->rx_buf.alloc_len (a size value) instead of priv->rx_buf.alloc_phys (the DMA physical address). This creates a type confusion where a length integer is interpreted as a physical memory address, causing the DMA subsystem to attempt unmapping arbitrary or incorrect memory regions. The issue has existed since commit 6af55ff52b02 (kernel 3.15, circa 2014) and affects all subsequent versions until patched. CPE data confirms impact across the entire Linux kernel product line where this driver is compiled.

RemediationAI

Upgrade to patched Linux kernel versions: 5.10.252 or later for 5.10.x series, 5.15.202+ for 5.15.x, 6.1.165+ for 6.1.x, 6.6.128+ for 6.6.x, 6.12.75+ for 6.12.x, 6.18.16+ for 6.18.x, 6.19.6+ for 6.19.x, or kernel 7.0 and above. Patches are available from kernel.org stable tree at the referenced git commit URLs. For systems not using Beckhoff CCAT FPGA hardware, the ec_bhf driver can be blacklisted to prevent module loading: add 'blacklist ec_bhf' to /etc/modprobe.d/blacklist.conf and regenerate initramfs. This workaround eliminates the attack surface entirely with no functional impact on systems lacking the specific hardware. Verify the driver is not in use before blacklisting with 'lsmod | grep ec_bhf'. For air-gapped or long-term support systems where kernel upgrades are prohibitive, limit local user access and implement mandatory access controls (SELinux/AppArmor) to restrict device driver interactions, though this provides only defense-in-depth rather than eliminating the vulnerability.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43283 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy