CVE-2026-43458
Received Received - Intake
Kernel Use-After-Free in CAIF Serial Line Discipline

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: serial: caif: hold tty->link reference in ldisc_open and ser_release A reproducer triggers a KASAN slab-use-after-free in pty_write_room() when caif_serial's TX path calls tty_write_room(). The faulting access is on tty->link->port. Hold an extra kref on tty->link for the lifetime of the caif_serial line discipline: get it in ldisc_open() and drop it in ser_release(), and also drop it on the ldisc_open() error path. With this change applied, the reproducer no longer triggers the UAF in my testing.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-05-09
AI Q&A
2026-05-08
EPSS Evaluated
N/A
NVD
CVE-2026-43458
EUVD
EUVD-2026-28764
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a use-after-free (UAF) issue in the Linux kernel related to the serial CAIF (Cellular Interface) driver. Specifically, a reference to tty->link is not properly held during certain operations, leading to a slab-use-after-free error in the pty_write_room() function when the CAIF serial transmit path calls tty_write_room().

The problem occurs because the lifetime of the tty->link reference is not correctly managed. The fix involves holding an extra kernel reference (kref) on tty->link for the duration of the CAIF serial line discipline, acquiring it in ldisc_open() and releasing it in ser_release(), including error paths. This prevents the use-after-free condition from occurring.


How can this vulnerability impact me? :

This vulnerability can lead to a use-after-free condition in the kernel, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges by exploiting the freed memory.

Since it affects the serial CAIF driver in the Linux kernel, systems using this driver could be vulnerable to such attacks if the flaw is triggered.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved by holding an extra reference on tty->link for the lifetime of the caif_serial line discipline, specifically by acquiring it in ldisc_open() and releasing it in ser_release(), including error paths.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart