Skip to main content

Linux Kernel EUVDEUVD-2026-31273

| CVE-2026-43497 HIGH
Use After Free (CWE-416)
2026-05-21 Linux GHSA-233x-r9gj-mfg9
7.3
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.3 HIGH
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 13:28 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.3 (HIGH)
Patch available
May 21, 2026 - 13:01 EUVD
CVE Published
May 21, 2026 - 12:12 nvd
UNKNOWN (no severity yet)
CVE Published
May 21, 2026 - 12:12 nvd
HIGH 7.3

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free

dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_ops on the VMA. This means the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() replaces the backing buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages.

Add vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs.

Tested with PoC using dummy_hcd + raw_gadget USB device emulation.

AnalysisAI

Use-after-free in the Linux kernel's udlfb (DisplayLink USB framebuffer) driver allows a local user with access to the framebuffer device to retain read/write access to freed kernel memory pages after a USB disconnect or framebuffer reallocation. The dlfb_ops_mmap() function maps vmalloc-backed framebuffer pages to userspace without installing vm_ops callbacks, so the kernel cannot track active mappings and vfree() is called on pages still referenced by user PTEs. No public exploit identified at time of analysis, EPSS is very low (0.02%), and the issue is not listed in CISA KEV.

Technical ContextAI

The udlfb driver (drivers/video/fbdev/udlfb.c) supports DisplayLink USB display adapters and exposes a /dev/fbN framebuffer device. dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc-allocated pages into a process VMA, but never assigns a vm_operations_struct with open/close hooks, so the driver has no reference count of active mmaps. When userspace calls FBIOPUT_VSCREENINFO, dlfb_realloc_framebuffer() can swap the underlying buffer; on USB disconnect, dlfb_ops_destroy() invokes vfree() on the old pages while userspace PTEs still point at them. The result is a classic use-after-free of kernel memory (CWE-416 class), where freed pages can be reallocated by the kernel slab/page allocator for unrelated data while a userspace process retains read/write access via stale PTEs. The fix introduces vm_ops with an atomic mmap_count and returns -EBUSY from realloc if the buffer is mapped.

RemediationAI

Vendor-released patch: upgrade to Linux 7.1-rc3 (mainline) or one of the stable releases 7.0.7, 6.18.30, 6.12.88, or 6.6.140, whichever matches your branch, picking up the udlfb vm_ops fix from commits da9b065cedfd, 8de779dc40d3, a2c53a3822ee, 4f312c30f036, or 18dd358de72d at https://git.kernel.org/stable/c/. Distribution kernels should pull the corresponding stable backport; check your vendor's security tracker (e.g. Debian, Ubuntu, RHEL, SUSE) and apply the kernel update plus reboot. If patching is delayed, the most effective compensating control is to unload and blacklist the udlfb module (add 'blacklist udlfb' under /etc/modprobe.d/) on systems that do not use DisplayLink USB displays - the trade-off is that any attached DisplayLink adapter will stop functioning. Where udlfb is required, restrict access to /dev/fb* nodes to a trusted group via udev rules to reduce the attacker population, accepting that legitimate users of the framebuffer remain in scope.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed

Share

EUVD-2026-31273 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy