Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local attacker needs tty/ldisc access (PR:L) and must win a narrow timing race (AC:H); UAF in kernel memory yields full C/I/A and no scope change.
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
serial: caif: fix use-after-free in caif_serial ldisc_close()
There is a use-after-free bug in caif_serial where handle_tx() may access ser->tty after the tty has been freed.
The race condition occurs between ldisc_close() and packet transmission:
CPU 0 (close) CPU 1 (xmit) ------------- ------------ ldisc_close() tty_kref_put(ser->tty) [tty may be freed here] <-- race window --> caif_xmit() handle_tx() tty = ser->tty // dangling ptr tty->ops->write() // UAF! schedule_work() ser_release() unregister_netdevice()
The root cause is that tty_kref_put() is called in ldisc_close() while the network device is still active and can receive packets.
Since ser and tty have a 1:1 binding relationship with consistent lifecycles (ser is allocated in ldisc_open and freed in ser_release via unregister_netdevice, and each ser binds exactly one tty), we can safely defer the tty reference release to ser_release() where the network device is unregistered.
Fix this by moving tty_kref_put() from ldisc_close() to ser_release(), after unregister_netdevice(). This ensures the tty reference is held as long as the network device exists, preventing the UAF.
Note: We save ser->tty before unregister_netdevice() because ser is embedded in netdev's private data and will be freed along with netdev (needs_free_netdev = true).
How to reproduce: Add mdelay(500) at the beginning of ldisc_close() to widen the race window, then run the reproducer program [1].
Note: There is a separate deadloop issue in handle_tx() when using PORT_UNKNOWN serial ports (e.g., /dev/ttyS3 in QEMU without proper serial backend). This deadloop exists even without this patch, and is likely caused by inconsistency between uart_write_room() and uart_write() in serial core. It has been addressed in a separate patch [2].
KASAN report:
============== BUG: KASAN: slab-use-after-free in handle_tx+0x5d1/0x620 Read of size 1 at addr ffff8881131e1490 by task caif_uaf_trigge/9929
Call Trace: <TASK> dump_stack_lvl+0x10e/0x1f0 print_report+0xd0/0x630 kasan_report+0xe4/0x120 handle_tx+0x5d1/0x620 dev_hard_start_xmit+0x9d/0x6c0 __dev_queue_xmit+0x6e2/0x4410 packet_xmit+0x243/0x360 packet_sendmsg+0x26cf/0x5500 __sys_sendto+0x4a3/0x520 __x64_sys_sendto+0xe0/0x1c0 do_syscall_64+0xc9/0xf80 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f615df2c0d7
Allocated by task 9930:
Freed by task 64:
Last potentially related work creation:
The buggy address belongs to the object at ffff8881131e1000 which belongs to the cache kmalloc-cg-2k of size 2048 The buggy address is located 1168 bytes inside of freed 2048-byte region [ffff8881131e1000, ffff8881131e1800)
The buggy address belongs to the physical page: page_owner tracks the page as allocated page last free pid 9778 tgid 9778 stack trace:
Memory state around the buggy address: ffff8881131e1380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881131e1400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8881131e1480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881131e1500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881131e1580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ============== [1]: https://gist.github.com/mrpre/f683f244544f7b11e7fa87df9e6c2eeb [2]: https://lore.kernel.org/linux-serial/20260204074327.226165-1-jiayuan.chen@linux.dev/T/#u
AnalysisAI
Local privilege-bounded use-after-free in the Linux kernel's CAIF serial line discipline (caif_serial / CONFIG_CAIF_TTY) lets a local attacker corrupt kernel memory by racing ldisc_close() against packet transmission. ldisc_close() drops the tty reference via tty_kref_put() while the CAIF network device is still live, so a concurrent caif_xmit()/handle_tx() can dereference the freed tty (ser->tty) and call tty->ops->write() on dangling memory, confirmed by a KASAN slab-use-after-free report. A reproducer is published, but no public weaponized exploit and no active exploitation are recorded; EPSS is 0.02% (7th percentile), consistent with a niche driver and a tight race window.
Technical ContextAI
The affected component is the CAIF (Communication CPU-to-Application CPU Interface) TTY line discipline driver, drivers/net/caif/caif_serial.c, which bridges a serial tty to a CAIF network interface used historically with ST-Ericsson modem hardware. The root cause is CWE-416 (Use-After-Free): the driver-private ser structure and its bound tty have a 1:1 lifecycle, with ser allocated in ldisc_open() and freed in ser_release() via unregister_netdevice() (needs_free_netdev = true). The bug is that ldisc_close() releases the tty reference (tty_kref_put) before the netdev is unregistered, leaving handle_tx() free to read ser->tty and invoke tty->ops->write() against a freed kmalloc-cg-2k (2048-byte) object. The fix defers tty_kref_put() to ser_release() after unregister_netdevice(), saving ser->tty beforehand because ser lives in netdev private data and is freed with the netdev. CPE data identifies only cpe:2.3:o:linux:linux_kernel as affected (component-level granularity is not expressed in the CPE).
RemediationAI
Apply the vendor-released kernel patch by upgrading to a fixed stable release for your branch: 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, or mainline 7.0 (fix commits at https://git.kernel.org/stable/c/308e7e4d0a846359685f40aade023aee7b27284c and the sibling commits listed in the advisory; see https://nvd.nist.gov/vuln/detail/CVE-2026-45866 and https://vuldb.com/vuln/366064). If you cannot patch immediately, the most effective compensating control is to remove the attack surface: ensure the CAIF TTY driver is not built or not loadable - blacklist/unload the caif_serial module (e.g., do not autoload it and restrict modprobe), which has no side effect on systems that do not use CAIF modems but will break any legitimate CAIF-over-serial link. Additionally restrict the ability to attach line disciplines and open the relevant tty/serial devices to trusted users only, since attaching the CAIF ldisc is a prerequisite; this limits which local accounts can reach the vulnerable path. Generic defense-in-depth such as KASAN is for detection in test, not production mitigation.
Same weakness CWE-416 – Use After Free
View allSame technique Memory Corruption
View allVendor StatusVendor
SUSE
Severity: Important| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 | Affected |
| SUSE Linux Enterprise Desktop 15 SP7 | Affected |
| SUSE Linux Enterprise High Availability Extension 15 SP7 | Affected |
| SUSE Linux Enterprise High Availability Extension 15 SP7 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Affected |
| SUSE Linux Enterprise Live Patching 15 SP7 | Affected |
| SUSE Linux Enterprise Live Patching 15 SP7 | Affected |
| SUSE Linux Enterprise Micro 5.3 | Affected |
| SUSE Linux Enterprise Micro 5.3 | Affected |
| SUSE Linux Enterprise Micro 5.3 | Affected |
| SUSE Linux Enterprise Micro 5.3 | Affected |
| SUSE Linux Enterprise Micro 5.4 | Affected |
| SUSE Linux Enterprise Micro 5.4 | Affected |
| SUSE Linux Enterprise Micro 5.4 | Affected |
| SUSE Linux Enterprise Micro 5.4 | Affected |
| SUSE Linux Enterprise Micro 5.5 | Affected |
| SUSE Linux Enterprise Micro 5.5 | Affected |
| SUSE Linux Enterprise Micro 5.5 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Development Tools 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Development Tools 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Legacy 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Legacy 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Public Cloud 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Public Cloud 15 SP7 | Affected |
| SUSE Linux Enterprise Real Time 15 SP7 | Affected |
| SUSE Linux Enterprise Server 15 SP7 | Affected |
| SUSE Linux Enterprise Server 15 SP7 | Affected |
| SUSE Linux Enterprise Server 16.0 | Not-Affected |
| SUSE Linux Enterprise Server 16.0 | Not-Affected |
| SUSE Linux Enterprise Server 16.1 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Not-Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Not-Affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Not-Affected |
| SUSE Linux Enterprise Workstation Extension 15 SP7 | Affected |
| SUSE Linux Enterprise Workstation Extension 15 SP7 | Affected |
| SUSE Linux Micro 6.0 | Affected |
| SUSE Linux Micro 6.0 | Affected |
| SUSE Linux Micro 6.0 | Affected |
| SUSE Linux Micro 6.1 | Affected |
| SUSE Linux Micro 6.1 | Affected |
| SUSE Linux Micro 6.1 | Affected |
| SUSE Linux Micro 6.2 | Not-Affected |
| SUSE Linux Micro 6.2 | Not-Affected |
| SUSE Real Time Module 15 SP7 | Affected |
| openSUSE Leap 16.0 | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Live Patching 12 SP5 | Affected |
| SUSE Linux Enterprise Live Patching 12 SP5 | Affected |
| SUSE Linux Enterprise Live Patching 15 SP4 | Affected |
| SUSE Linux Enterprise Live Patching 15 SP4 | Affected |
| SUSE Linux Enterprise Live Patching 15 SP5 | Affected |
| SUSE Linux Enterprise Live Patching 15 SP5 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP4 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP5 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP6 | Affected |
| SUSE Linux Enterprise Module for Development Tools 15 SP4 | Affected |
| SUSE Linux Enterprise Module for Development Tools 15 SP5 | Affected |
| SUSE Linux Enterprise Module for Development Tools 15 SP6 | Affected |
| SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE | Not-Affected |
| SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE | Not-Affected |
| SUSE Linux Enterprise Server 12 SP5 | Affected |
| SUSE Linux Enterprise Server 12 SP5-LTSS | Affected |
| SUSE Linux Enterprise Server 12 SP5-LTSS | Affected |
| SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security | Affected |
| SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security | Affected |
| SUSE Linux Enterprise Server 15 SP4 | Affected |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP5 | Affected |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP6 | Affected |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Affected |
| SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Affected |
| SUSE Manager Proxy 4.3 | Affected |
| SUSE Manager Proxy LTS 4.3 | Affected |
| SUSE Manager Retail Branch Server 4.3 | Affected |
| SUSE Manager Retail Branch Server LTS 4.3 | Affected |
| SUSE Manager Server 4.3 | Affected |
| SUSE Manager Server LTS 4.3 | Affected |
| SUSE CaaS Platform 4.0 | Affected |
| SUSE Enterprise Storage 6 | Affected |
| SUSE Enterprise Storage 7 | Affected |
| SUSE Enterprise Storage 7.1 | Affected |
| SUSE Linux Enterprise Desktop 11 SP4 | Not-Affected |
| SUSE Linux Enterprise Desktop 12 SP4 | Affected |
| SUSE Linux Enterprise Desktop 15 SP1 | Affected |
| SUSE Linux Enterprise Desktop 15 SP2 | Affected |
| SUSE Linux Enterprise Desktop 15 SP3 | Affected |
| SUSE Linux Enterprise Desktop 15 SP4 | Affected |
| SUSE Linux Enterprise Desktop 15 SP5 | Affected |
| SUSE Linux Enterprise Desktop 15 SP6 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Affected |
| SUSE Linux Enterprise Micro 5.0 | Affected |
| SUSE Linux Enterprise Micro 5.1 | Affected |
| SUSE Linux Enterprise Micro 5.2 | Affected |
| SUSE Linux Enterprise Micro 5.2 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP1 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP2 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP3 | Affected |
| SUSE Linux Enterprise Module for Development Tools 15 SP1 | Affected |
| SUSE Linux Enterprise Module for Development Tools 15 SP2 | Affected |
| SUSE Linux Enterprise Module for Development Tools 15 SP3 | Affected |
| SUSE Linux Enterprise Real Time 15 SP2 | Affected |
| SUSE Linux Enterprise Real Time 15 SP3 | Affected |
| SUSE Linux Enterprise Real Time 15 SP4 | Affected |
| SUSE Linux Enterprise Real Time 15 SP4 | Affected |
| SUSE Linux Enterprise Real Time 15 SP5 | Affected |
| SUSE Linux Enterprise Server 11 SP4 | Not-Affected |
| SUSE Linux Enterprise Server 11 SP4-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 12 SP4 | Affected |
| SUSE Linux Enterprise Server 12 SP4-ESPOS | Affected |
| SUSE Linux Enterprise Server 12 SP4-LTSS | Affected |
| SUSE Linux Enterprise Server 12 SP4-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP1 | Affected |
| SUSE Linux Enterprise Server 15 SP1-BCL | Affected |
| SUSE Linux Enterprise Server 15 SP1-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP1-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP2 | Affected |
| SUSE Linux Enterprise Server 15 SP2-BCL | Affected |
| SUSE Linux Enterprise Server 15 SP2-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP2-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP3 | Affected |
| SUSE Linux Enterprise Server 15 SP3-BCL | Affected |
| SUSE Linux Enterprise Server 15 SP3-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP3-LTSS | Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP1 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP2 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP3 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Affected |
| SUSE Manager Proxy 4.0 | Affected |
| SUSE Manager Proxy 4.1 | Affected |
| SUSE Manager Proxy 4.2 | Affected |
| SUSE Manager Retail Branch Server 4.0 | Affected |
| SUSE Manager Retail Branch Server 4.1 | Affected |
| SUSE Manager Retail Branch Server 4.2 | Affected |
| SUSE Manager Server 4.0 | Affected |
| SUSE Manager Server 4.1 | Affected |
| SUSE Manager Server 4.2 | Affected |
| SUSE OpenStack Cloud 9 | Affected |
| SUSE OpenStack Cloud Crowbar 9 | Affected |
| SUSE Real Time Module 15 SP4 | Affected |
| SUSE Real Time Module 15 SP5 | Affected |
| openSUSE Leap 15.3 | Affected |
| openSUSE Leap 15.4 | Affected |
| openSUSE Leap 15.4 | Affected |
| openSUSE Leap 15.5 | Affected |
| openSUSE Leap 15.5 | Affected |
| openSUSE Leap 15.6 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32332
GHSA-9834-966g-q77h