CVE-2026-43458
Analyzed Analyzed - Analysis Complete
Kernel Use-After-Free in CAIF Serial Line Discipline

Publication date: 2026-05-08

Last updated on: 2026-05-21

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: serial: caif: hold tty->link reference in ldisc_open and ser_release A reproducer triggers a KASAN slab-use-after-free in pty_write_room() when caif_serial's TX path calls tty_write_room(). The faulting access is on tty->link->port. Hold an extra kref on tty->link for the lifetime of the caif_serial line discipline: get it in ldisc_open() and drop it in ser_release(), and also drop it on the ldisc_open() error path. With this change applied, the reproducer no longer triggers the UAF in my testing.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-21
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-43458
EUVD
EUVD-2026-28764
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.19 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.78 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.9 (exc)
linux linux_kernel From 2.6.35 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free (UAF) issue in the Linux kernel related to the serial CAIF (Cellular Interface) driver. Specifically, a reference to tty->link is not properly held during certain operations, leading to a slab-use-after-free error in the pty_write_room() function when the CAIF serial transmit path calls tty_write_room().

The problem occurs because the lifetime of the tty->link reference is not correctly managed. The fix involves holding an extra kernel reference (kref) on tty->link for the duration of the CAIF serial line discipline, acquiring it in ldisc_open() and releasing it in ser_release(), including error paths. This prevents the use-after-free condition from occurring.

Impact Analysis

This vulnerability can lead to a use-after-free condition in the kernel, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges by exploiting the freed memory.

Since it affects the serial CAIF driver in the Linux kernel, systems using this driver could be vulnerable to such attacks if the flaw is triggered.

Mitigation Strategies

The vulnerability has been resolved by holding an extra reference on tty->link for the lifetime of the caif_serial line discipline, specifically by acquiring it in ldisc_open() and releasing it in ser_release(), including error paths.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43458. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart