In the Linux kernel, the following vulnerability has been resolved:
net: macb: fix clk handling on PCI glue driver removal
platformdeviceunregister() may still want to use the registered clks during runtime resume callback.
Note that there is a commit d82d5303c4c5 ("net: macb: fix use after free on rmmod") that addressed the similar problem of clk vs platform device unregistration but just moved the bug to another place.
Save the pointers to clks into local variables for reuse after platform device is unregistered.
BUG: KASAN: use-after-free in clk_prepare+0x5a/0x60 Read of size 8 at addr ffff888104f85e00 by task modprobe/597
CPU: 2 PID: 597 Comm: modprobe Not tainted 6.1.164+ #114 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dumpstacklvl+0x8d/0xba printreport+0x17f/0x496 kasanreport+0xd9/0x180 clkprepare+0x5a/0x60 macbruntimeresume+0x13d/0x410 [macb] pmgenericruntimeresume+0x97/0xd0 __rpmcallback+0xc8/0x4d0 rpmcallback+0xf6/0x230 rpm_resume+0xeeb/0x1a70 __pmruntimeresume+0xb4/0x170 bus_removedevice+0x2e3/0x4b0 devicedel+0x5b3/0xdc0 platformdevicedel+0x4e/0x280 platformdeviceunregister+0x11/0x50 pcideviceremove+0xae/0x210 deviceremove+0xcb/0x180 devicereleasedriverinternal+0x529/0x770 driverdetach+0xd4/0x1a0 busremovedriver+0x135/0x260 driverunregister+0x72/0xb0 pciunregisterdriver+0x26/0x220 _dosysdeletemodule+0x32e/0x550 dosyscall64+0x35/0x80 entrySYSCALL64afterhwframe+0x6e/0xd8 </TASK>
Allocated by task 519: kasansavestack+0x2c/0x50 kasansettrack+0x21/0x30 __kasan_kmalloc+0x8e/0x90 __clkregister+0x458/0x2890 clkhw_register+0x1a/0x60 __clkhwregisterfixedrate+0x255/0x410 clkregisterfixedrate+0x3c/0xa0 macbprobe+0x1d8/0x42e [macbpci] localpciprobe+0xd7/0x190 pcideviceprobe+0x252/0x600 reallyprobe+0x255/0x7f0 __driverprobedevice+0x1ee/0x330 driverprobedevice+0x4c/0x1f0 __driverattach+0x1df/0x4e0 busforeachdev+0x15d/0x1f0 busadddriver+0x486/0x5e0 driverregister+0x23a/0x3d0 dooneinitcall+0xfd/0x4d0 doinitmodule+0x18b/0x5a0 loadmodule+0x5663/0x7950 _dosysfinitmodule+0x101/0x180 dosyscall64+0x35/0x80 entrySYSCALL64afterhwframe+0x6e/0xd8
Freed by task 597: kasansavestack+0x2c/0x50 kasansettrack+0x21/0x30 kasansavefree_info+0x2a/0x50 __kasanslabfree+0x106/0x180 __kmemcachefree+0xbc/0x320 clkunregister+0x6de/0x8d0 macbremove+0x73/0xc0 [macb_pci] pcideviceremove+0xae/0x210 deviceremove+0xcb/0x180 devicereleasedriverinternal+0x529/0x770 driverdetach+0xd4/0x1a0 busremovedriver+0x135/0x260 driverunregister+0x72/0xb0 pciunregisterdriver+0x26/0x220 _dosysdeletemodule+0x32e/0x550 dosyscall64+0x35/0x80 entrySYSCALL64afterhwframe+0x6e/0xd8
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43015.json"
}