In the Linux kernel, the following vulnerability has been resolved:
atm: fore200e: fix use-after-free in tasklets during device removal
When the PCA-200E or SBA-200E adapter is being detached, the fore200e is deallocated. However, the txtasklet or rxtasklet may still be running or pending, leading to use-after-free bug when the already freed fore200e is accessed again in fore200etxtasklet() or fore200erxtasklet().
One of the race conditions can occur as follows:
CPU 0 (cleanup) | CPU 1 (tasklet) fore200epcaremoveone() | fore200einterrupt() fore200eshutdown() | taskletschedule() kfree(fore200e) | fore200etxtasklet() | fore200e-> // UAF
Fix this by ensuring txtasklet or rxtasklet is properly canceled before the fore200e is released. Add taskletkill() in fore200eshutdown() to synchronize with any pending or running tasklets. Moreover, since fore200ereset() could prevent further interrupts or data transfers, the taskletkill() should be placed after fore200ereset() to prevent the tasklet from being rescheduled in fore200einterrupt(). Finally, it only needs to do taskletkill() when the fore200e state is greater than or equal to FORE200ESTATEIRQ, since tasklets are uninitialized in earlier states. In a word, the taskletkill() should be placed in the FORE200ESTATEIRQ branch within the switch...case structure.
This bug was identified through static analysis.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43203.json"
}