Skip to main content

Linux Kernel CVE-2026-43458

| EUVDEUVD-2026-28764 HIGH
Use After Free (CWE-416)
2026-05-08 Linux GHSA-27j8-6q5h-m6jx
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 21, 2026 - 16:52 vuln.today
CVSS changed
May 21, 2026 - 16:52 NVD
7.8 (HIGH)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:22 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

serial: caif: hold tty->link reference in ldisc_open and ser_release

A reproducer triggers a KASAN slab-use-after-free in pty_write_room() when caif_serial's TX path calls tty_write_room(). The faulting access is on tty->link->port.

Hold an extra kref on tty->link for the lifetime of the caif_serial line discipline: get it in ldisc_open() and drop it in ser_release(), and also drop it on the ldisc_open() error path.

With this change applied, the reproducer no longer triggers the UAF in my testing.

AnalysisAI

Local privilege escalation in the Linux kernel's CAIF serial driver allows attackers with local access to trigger a use-after-free condition in pty_write_room() via the caif_serial line discipline. The flaw stems from missing reference counting on tty->link, enabling memory corruption that can lead to arbitrary kernel code execution with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, with an EPSS score of 0.02% (7th percentile) indicating low likelihood of widespread exploitation.

Technical ContextAI

The vulnerability resides in the CAIF (Communication CPU to Application CPU Interface) serial driver (drivers/net/caif/caif_serial.c) in the Linux kernel, originally introduced in kernel 2.6.35. CAIF is a protocol used primarily for ST-Ericsson modem communication that operates as a TTY line discipline. The root cause maps to CWE-416 (Use After Free): the driver's ldisc_open() handler attached a TTY pair (tty->link) without taking an additional reference, so when the linked PTY peer was released, subsequent TX path operations calling tty_write_room() would dereference freed memory in tty->link->port. The fix takes an extra kref on tty->link during ldisc_open() and releases it in ser_release() (including on error paths).

RemediationAI

Vendor-released patch: upgrade to Linux kernel 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, or 6.19.9 (or later) depending on your stable branch, available from https://git.kernel.org/stable/c/97a0bb491cae39478c6225381f14e9ac67b7bba7 and the associated stable commits referenced in the CVE record. Distribution users should track their vendor's kernel security update channel (RHEL, Ubuntu USN, SUSE, Debian DSA). As a workaround pending patching, blacklist the caif_serial module via /etc/modprobe.d (install caif_serial /bin/true) on systems that do not require ST-Ericsson modem support - the side effect is loss of CAIF-over-serial functionality, which is irrelevant for the vast majority of servers and desktops. Additionally, restrict CAP_SYS_ADMIN and tty line-discipline attachment to trusted users, and harden container runtimes to prevent unprivileged ldisc changes; this restricts but does not eliminate the attack surface.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43458 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy