Skip to main content

Linux Kernel CVE-2026-43447

| EUVDEUVD-2026-28753 HIGH
Use After Free (CWE-416)
2026-05-08 Linux GHSA-7qq3-fmc6-w4w4
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:36 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:22 nvd
UNKNOWN (no severity yet)
CVE Published
May 08, 2026 - 14:22 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

iavf: fix PTP use-after-free during reset

Commit 7c01dbfc8a1c5f ("iavf: periodically cache PHC time") introduced a worker to cache PHC time, but failed to stop it during reset or disable.

This creates a race condition where iavf_reset_task() or iavf_disable_vf() free adapter resources (AQ) while the worker is still running. If the worker triggers iavf_queue_ptp_cmd() during teardown, it accesses freed memory/locks, leading to a crash.

Fix this by calling iavf_ptp_release() before tearing down the adapter. This ensures ptp_clock_unregister() synchronously cancels the worker and cleans up the chardev before the backing resources are destroyed.

AnalysisAI

Use-after-free in the Linux kernel iavf driver allows local authenticated users to execute arbitrary code, escalate privileges, or crash the system. The vulnerability affects Intel Ethernet Adaptive Virtual Function (iavf) driver's PTP implementation where a worker thread continues accessing freed memory during network adapter reset or disable operations. Patch available from kernel.org upstream commits across multiple stable branches (6.18.19, 6.19.9, 7.0+). EPSS score of 0.02% (4th percentile) indicates low observed exploitation likelihood, and no CISA KEV listing confirms this remains a theoretical risk requiring local access with low privileges.

Technical ContextAI

The Intel Ethernet Adaptive Virtual Function (iavf) driver manages SR-IOV virtual functions for Intel network adapters in virtualized environments. Commit 7c01dbfc8a1c5f introduced a periodic worker thread to cache Precision Time Protocol (PHC) time values for improved performance. The vulnerability stems from improper lifecycle management: when iavf_reset_task() or iavf_disable_vf() tear down adapter resources including the Admin Queue (AQ) structure, they do not synchronously stop the PHC caching worker. This creates a classic use-after-free condition where the worker thread's iavf_queue_ptp_cmd() function accesses deallocated memory and locks. The fix enforces proper shutdown ordering by calling iavf_ptp_release() before resource teardown, which invokes ptp_clock_unregister() to synchronously cancel the worker thread and clean up the character device interface. This is a memory safety issue in kernel driver code affecting kernel versions 6.15+ where the problematic commit was introduced.

RemediationAI

Upgrade to patched Linux kernel versions: 6.18.19, 6.19.9, 7.0 stable, or later releases incorporating the upstream fixes per https://git.kernel.org/stable/c/1b034f2429ce6b45ce74dc266175d277acafc5c4 (mainline), https://git.kernel.org/stable/c/90cc8b2add29b57288025b51c70bc647e7cccb12 (6.19.x), and https://git.kernel.org/stable/c/efc54fb13d79117a825fef17364315a58682c7ec (6.18.x). If immediate patching is not feasible, organizations can mitigate risk by disabling PTP support on iavf interfaces (echo 0 > /sys/class/net/<interface>/ptp_enable if supported, or unload ptp_iavf module), though this breaks PTP timestamping functionality required for time-sensitive applications. Alternatively, restrict local user access to systems using Intel SR-IOV virtual functions, though this reduces usability in multi-tenant environments. For production virtualization hosts, treat as priority update during next maintenance window. These workarounds significantly reduce attack surface but do not eliminate the underlying race condition.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43447 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy