CVE-2026-43203
Awaiting Analysis Awaiting Analysis - Queue
Use-After-Free in Linux Kernel's fore200e ATM Driver

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: atm: fore200e: fix use-after-free in tasklets during device removal When the PCA-200E or SBA-200E adapter is being detached, the fore200e is deallocated. However, the tx_tasklet or rx_tasklet may still be running or pending, leading to use-after-free bug when the already freed fore200e is accessed again in fore200e_tx_tasklet() or fore200e_rx_tasklet(). One of the race conditions can occur as follows: CPU 0 (cleanup) | CPU 1 (tasklet) fore200e_pca_remove_one() | fore200e_interrupt() fore200e_shutdown() | tasklet_schedule() kfree(fore200e) | fore200e_tx_tasklet() | fore200e-> // UAF Fix this by ensuring tx_tasklet or rx_tasklet is properly canceled before the fore200e is released. Add tasklet_kill() in fore200e_shutdown() to synchronize with any pending or running tasklets. Moreover, since fore200e_reset() could prevent further interrupts or data transfers, the tasklet_kill() should be placed after fore200e_reset() to prevent the tasklet from being rescheduled in fore200e_interrupt(). Finally, it only needs to do tasklet_kill() when the fore200e state is greater than or equal to FORE200E_STATE_IRQ, since tasklets are uninitialized in earlier states. In a word, the tasklet_kill() should be placed in the FORE200E_STATE_IRQ branch within the switch...case structure. This bug was identified through static analysis.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-05-07
AI Q&A
2026-05-06
EPSS Evaluated
N/A
NVD
CVE-2026-43203
EUVD
EUVD-2026-27764
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, ensure that the fore200e driver is updated to a version where the fix is applied. The fix involves properly canceling the tx_tasklet or rx_tasklet before the fore200e device is released by adding tasklet_kill() in fore200e_shutdown(). This prevents use-after-free conditions during device removal.


Can you explain this vulnerability to me?

This vulnerability is a use-after-free bug in the Linux kernel's fore200e driver for PCA-200E or SBA-200E adapters. When one of these adapters is removed, the fore200e device structure is deallocated, but the tx_tasklet or rx_tasklet (which handle transmission and reception tasks) may still be running or scheduled to run. If these tasklets access the already freed fore200e structure, it leads to a use-after-free condition.

The issue arises due to a race condition between the cleanup process that frees the fore200e structure and the tasklets that may still be executing. The fix involves properly canceling these tasklets using tasklet_kill() after resetting the device but before freeing the structure, ensuring no tasklets access freed memory.


How can this vulnerability impact me? :

This use-after-free vulnerability can lead to undefined behavior in the Linux kernel, such as system crashes, data corruption, or potential escalation of privileges if exploited. Since the kernel accesses freed memory, it may cause instability or security issues on systems using the affected PCA-200E or SBA-200E adapters.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability was identified through static analysis and involves a use-after-free bug in the fore200e driver during device removal. There are no specific detection commands or network/system indicators provided.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart