Skip to main content

Linux Kernel CVE-2026-45977

| EUVDEUVD-2026-32261 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-fgxx-jh4j-vgpg
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

AC:H reflects the narrow inter-CPU timing window required to win the race condition; all other metrics follow the described local, low-privilege, DoS-only impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 02:57 vuln.today
CVSS changed
Jun 16, 2026 - 02:52 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

fbnic: close fw_log race between users and teardown

Fixes a theoretical race on fw_log between the teardown path and fw_log write functions.

fw_log is written inside fbnic_fw_log_write() and can be reached from the mailbox handler fbnic_fw_msix_intr(), but fw_log is freed before IRQ/MBX teardown during cleanup, resulting in a potential data race of dereferencing a freed/null variable.

Possible Interleaving Scenario: CPU0: fbnic_fw_msix_intr() // Entry fbnic_fw_log_write() if (fbnic_fw_log_ready()) // true ... preempt ... CPU1: fbnic_remove() // Entry fbnic_fw_log_free() vfree(log->data_start); log->data_start = NULL; CPU0: continues, walks log->entries or writes to log->data_start

The initialization also has an incorrect order problem, as the fw_log is currently allocated after MBX setup during initialization. Fix the problems by adjusting the synchronization order to put initialization in place before the mailbox is enabled, and not cleared until after the mailbox has been disabled.

AnalysisAI

Use-after-free race condition in the Linux kernel's fbnic (Facebook NIC) driver can be triggered by a local attacker to crash the system. The fw_log firmware log buffer is freed during device teardown before the mailbox IRQ is disabled, allowing a concurrent MSIX interrupt handler to dereference a freed or NULL pointer. No active exploitation is confirmed (not in CISA KEV), and the EPSS score of 0.02% (4th percentile) reflects very low real-world exploitation probability; the primary risk is a denial of service to systems hosting fbnic NICs.

Technical ContextAI

The fbnic driver (Facebook NIC) is a network interface driver in the Linux kernel, managing firmware communication via a mailbox (MBX) mechanism and an MSIX interrupt vector. The fw_log structure buffers firmware log messages written by fbnic_fw_log_write(), which is invoked from the interrupt handler fbnic_fw_msix_intr(). During driver teardown (fbnic_remove()), fbnic_fw_log_free() calls vfree() on log->data_start and sets it to NULL - but this occurs before the IRQ and mailbox teardown. A concurrent CPU handling an MSIX interrupt can pass the fbnic_fw_log_ready() check, be preempted, and then resume writing to an already-freed buffer. The root cause class is a time-of-check/time-of-use (TOCTOU) race (analogous to CWE-362 and CWE-416), compounded by incorrect initialization ordering where fw_log was allocated after MBX setup. CPE data confirms the affected product is cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*. Note: the 'Information Disclosure' tag in the source data appears inconsistent with the CVSS C:N metric and the described crash-only impact; this is likely a mislabeling.

RemediationAI

Upgrade to a patched Linux kernel release: 7.0, 6.18.14, or 6.19.4, as confirmed by EUVD and the upstream stable tree commits at https://git.kernel.org/stable/c/ee5492fd88cfc079c19fbeac78e9e53b7f6c04f3, https://git.kernel.org/stable/c/223cfef4812bdfa5ac5c1aa761cdba03cfe2c9cd, and https://git.kernel.org/stable/c/5f10ab3643c58a22fbaee92c4701b00fcb4a465d. Distribution vendors (Red Hat, Ubuntu, SUSE, Debian) typically backport such fixes to their supported kernel streams; check vendor errata before manual kernel upgrade. If immediate patching is not feasible, a specific compensating control is to prevent unprivileged local users from triggering device removal or driver unbind operations (e.g., restrict udev rules and /sys/bus/pci/drivers/fbnic/unbind permissions to root). This limits the race window to privileged-only scenarios but does not eliminate the theoretical bug. Systems without fbnic NICs are not affected and require no action.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

CVE-2026-45977 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy