CVE-2026-43497
- Source
- https://cve.org/CVERecord?id=CVE-2026-43497
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43497.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-43497
- Downstream
- Related
- Published
- 2026-05-21T12:12:47.150Z
- Modified
- 2026-06-03T03:55:12.171669050Z
- Severity
-
- 7.3 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
fbdev: udlfb: add vmops to dlfbops_mmap to prevent use-after-free
dlfbopsmmap() uses remappfnrange() to map vmalloc framebuffer pages to userspace but sets no vmops on the VMA. This means the kernel cannot track active mmaps. When dlfbreallocframebuffer() replaces the backing buffer via FBIOPUTVSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfbopsdestroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages.
Add vmoperationsstruct with open/close callbacks that maintain an atomic mmapcount on struct dlfbdata. In dlfbreallocframebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs.
Tested with PoC using dummyhcd + rawgadget USB device emulation.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43497.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/18dd358de72d57993422cbb5dfb29ccd74efe192
- https://git.kernel.org/stable/c/4f312c30f0368e8d2a76aa650dff73f23490b5e7
- https://git.kernel.org/stable/c/5931f5651ee32bd41b3323256b31fcc8e71336ed
- https://git.kernel.org/stable/c/60f711cfd580f86fea8284146ac133804e728f9a
- https://git.kernel.org/stable/c/8de779dc40d35d39fa07387b6f921eb11df0f511
- https://git.kernel.org/stable/c/a2c53a3822ee26e8d758071815b9ed3bf6669fc1
- https://git.kernel.org/stable/c/da9b065cedfd3b574f229d5be594e6aa47a27ae6
- https://git.kernel.org/stable/c/e3d9865dacd7435b8465848428210d0f0c673311
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43497.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-43497
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced7433914efd584b22bb49d3e1eee001f5d0525ecdFixed60f711cfd580f86fea8284146ac133804e728f9aFixed5931f5651ee32bd41b3323256b31fcc8e71336edFixede3d9865dacd7435b8465848428210d0f0c673311Fixed4f312c30f0368e8d2a76aa650dff73f23490b5e7Fixed18dd358de72d57993422cbb5dfb29ccd74efe192Fixedda9b065cedfd3b574f229d5be594e6aa47a27ae6Fixeda2c53a3822ee26e8d758071815b9ed3bf6669fc1Fixed8de779dc40d35d39fa07387b6f921eb11df0f511
Linux / Kernel
Package
- Name
- Kernel
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced4.19.0Fixed5.10.258
- Type
- ECOSYSTEM
- Events
-
Introduced5.11.0Fixed5.15.209
- Type
- ECOSYSTEM
- Events
-
Introduced5.16.0Fixed6.1.175
- Type
- ECOSYSTEM
- Events
-
Introduced6.2.0Fixed6.6.140
- Type
- ECOSYSTEM
- Events
-
Introduced6.7.0Fixed6.12.88
- Type
- ECOSYSTEM
- Events
-
Introduced6.13.0Fixed6.18.30
- Type
- ECOSYSTEM
- Events
-
Introduced6.19.0Fixed7.0.7