CVE-2026-43497
Received Received - Intake
Use-After-Free in udlfb Linux Kernel Framebuffer Driver

Publication date: 2026-05-21

Last updated on: 2026-05-21

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_ops on the VMA. This means the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() replaces the backing buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages. Add vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs. Tested with PoC using dummy_hcd + raw_gadget USB device emulation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-05-21
Generated
2026-05-21
AI Q&A
2026-05-21
EPSS Evaluated
N/A
NVD
CVE-2026-43497
EUVD
EUVD-2026-31273
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's framebuffer driver (udlfb) where the mmap operation does not set vm_ops on the virtual memory area (VMA). Because of this, the kernel cannot track active memory mappings.

When the framebuffer backing buffer is replaced, existing memory mappings are not invalidated. If a USB device disconnects, the old framebuffer pages are freed while userspace processes still have read/write access to those freed pages, causing a use-after-free condition.

The fix involves adding vm_operations_struct with open and close callbacks to maintain a count of active mappings, preventing the buffer from being replaced while it is still mapped by userspace.


How can this vulnerability impact me? :

This vulnerability can allow a userspace process to retain read and write access to kernel memory pages that have already been freed.

Such use-after-free conditions can lead to memory corruption, potential privilege escalation, or arbitrary code execution within the kernel context, depending on how the freed memory is reused.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is caused by the lack of vm_ops on the VMA in the udlfb framebuffer driver, which allows use-after-free when the framebuffer is replaced while still mapped by userspace.

To mitigate this vulnerability, update the Linux kernel to a version where the fix is applied. The fix involves adding vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on the framebuffer data structure, and preventing framebuffer replacement if it is currently mapped (returning -EBUSY).

  • Apply the kernel patch that adds vm_ops to dlfb_ops_mmap.
  • Avoid replacing the framebuffer buffer while it is mapped by userspace.
  • If updating the kernel immediately is not possible, avoid USB disconnects or framebuffer reallocations that trigger the vulnerable code.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart