CVE-2026-43138
Awaiting Analysis Awaiting Analysis - Queue

GPIO Reset Bind Attributes Suppression in Linux Kernel

Vulnerability report for CVE-2026-43138, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: reset: gpio: suppress bind attributes in sysfs This is a special device that's created dynamically and is supposed to stay in memory forever. We also currently don't have a devlink between it and the actual reset consumer. Suppress sysfs bind attributes so that user-space can't unbind the device because - as of now - it will cause a use-after-free splat from any user that puts the reset control handle.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-07-06
AI Q&A
2026-05-06
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel related to the reset subsystem's GPIO handling. A special device is created dynamically and is intended to remain in memory permanently. However, there is no device link between this special device and the actual reset consumer. Because of this, the sysfs bind attributes were not suppressed, allowing user-space to unbind the device.

If a user unbinds this device, it can cause a use-after-free error, which means that the system may attempt to access memory that has already been freed. This can lead to system instability or crashes when any user tries to use the reset control handle.

Impact Analysis

This vulnerability can impact you by causing system instability or crashes due to a use-after-free error triggered when user-space unbinds the special reset device. This can affect the reliability and security of systems running the vulnerable Linux kernel, potentially leading to denial of service or unexpected behavior.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43138. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart