Skip to main content

Linux Kernel EUVDEUVD-2026-28746

| CVE-2026-43440 HIGH
Use After Free (CWE-416)
2026-05-08 Linux GHSA-25hr-298p-f2jg
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 21, 2026 - 17:22 vuln.today
CVSS changed
May 21, 2026 - 17:22 NVD
7.8 (HIGH)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:22 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net/mana: Null service_wq on setup error to prevent double destroy

In mana_gd_setup() error path, set gc->service_wq to NULL after destroy_workqueue() to match the cleanup in mana_gd_cleanup(). This prevents a use-after-free if the workqueue pointer is checked after a failed setup.

AnalysisAI

Local privilege escalation potential in the Linux kernel's Microsoft Azure Network Adapter (mana) driver allows a low-privileged local user to trigger a use-after-free via a double destroy_workqueue() call on the gc->service_wq pointer when mana_gd_setup() fails. The flaw, fixed in the 6.18.x and 6.19.x stable trees, has no public exploit identified at time of analysis and an EPSS of 0.02% (4th percentile), but carries a CVSS of 7.8 due to high confidentiality, integrity, and availability impact within the kernel.

Technical ContextAI

The vulnerability lives in drivers/net/ethernet/microsoft/mana, the Linux driver for Microsoft Azure Network Adapter (MANA) NICs used in Hyper-V and Azure guest workloads. In the mana_gd_setup() error path, destroy_workqueue() is called on gc->service_wq but the pointer is not cleared; if mana_gd_cleanup() (or any subsequent check) later evaluates the pointer and calls destroy_workqueue() again, this constitutes a classic CWE-416 use-after-free on the workqueue object, which can corrupt kernel slab memory. The CPE strings (cpe:2.3:a:linux:linux) confirm this is mainline Linux kernel code, and the EUVD-tracked commit IDs (59489ce6, 6c923926, 87c23028) reference the stable-tree backports of the NULL-after-free fix.

RemediationAI

Patch available per vendor advisory - upgrade to Linux kernel 6.18.19 or later in the 6.18 series, or 6.19.9 or later in the 6.19 series, by pulling the stable backports referenced in the kernel.org commits https://git.kernel.org/stable/c/59489ce60d7412ed82fb1d8002faa3102dcd4916, https://git.kernel.org/stable/c/6c92392602b451e3869f15ab685f8f650e942b13, and https://git.kernel.org/stable/c/87c2302813abc55c46485711a678e3c312b00666. For distribution kernels, apply vendor-supplied updates from the corresponding Linux distribution (consult your distro's CVE tracker referencing CVE-2026-43440). As a compensating control for systems that cannot be promptly updated, unload or blacklist the mana driver (modprobe -r mana; add 'blacklist mana' under /etc/modprobe.d/) on hosts that do not require Microsoft Azure Network Adapter functionality - the trade-off is loss of network connectivity on Azure/Hyper-V guests that depend on this synthetic NIC, so this is only viable for systems using alternative network drivers.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28746 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy