CVE-2026-43447
Analyzed Analyzed - Analysis Complete
Use-After-Free in Linux Kernel iavf Driver

Publication date: 2026-05-08

Last updated on: 2026-05-21

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: iavf: fix PTP use-after-free during reset Commit 7c01dbfc8a1c5f ("iavf: periodically cache PHC time") introduced a worker to cache PHC time, but failed to stop it during reset or disable. This creates a race condition where `iavf_reset_task()` or `iavf_disable_vf()` free adapter resources (AQ) while the worker is still running. If the worker triggers `iavf_queue_ptp_cmd()` during teardown, it accesses freed memory/locks, leading to a crash. Fix this by calling `iavf_ptp_release()` before tearing down the adapter. This ensures `ptp_clock_unregister()` synchronously cancels the worker and cleans up the chardev before the backing resources are destroyed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-21
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-43447
EUVD
EUVD-2026-28753
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.19 (inc) to 6.19.9 (exc)
linux linux_kernel From 6.15 (inc) to 6.18.19 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can cause the system to crash due to use-after-free memory access in the iavf driver. Such crashes can lead to denial of service, potentially disrupting network functionality or system stability.

Executive Summary

This vulnerability exists in the Linux kernel's iavf driver. A commit introduced a worker to periodically cache PHC time but failed to stop this worker during a reset or disable operation. This leads to a race condition where adapter resources are freed while the worker is still running. If the worker triggers a command during teardown, it accesses memory or locks that have already been freed, causing a crash.

The fix involves calling a release function before tearing down the adapter to ensure the worker is synchronously cancelled and resources are properly cleaned up.

Mitigation Strategies

The vulnerability is fixed by ensuring that the worker caching PHC time is stopped during reset or disable operations.

Specifically, the fix involves calling the function iavf_ptp_release() before tearing down the adapter. This call synchronously cancels the worker and cleans up resources to prevent use-after-free conditions.

Therefore, immediate mitigation steps include updating the Linux kernel to a version containing this fix or applying the patch that calls iavf_ptp_release() during adapter reset or disable.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43447. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart