CVE-2026-43497
Analyzed Analyzed - Analysis Complete

Use-After-Free in udlfb Linux Kernel Framebuffer Driver

Vulnerability report for CVE-2026-43497, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-21

Last updated on: 2026-06-26

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_ops on the VMA. This means the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() replaces the backing buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages. Add vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs. Tested with PoC using dummy_hcd + raw_gadget USB device emulation.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-21
Last Modified
2026-06-26
Generated
2026-07-07
AI Q&A
2026-05-21
EPSS Evaluated
2026-07-06
NVD
EUVD

Affected Vendors & Products

Showing 9 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.13 (inc) to 6.18.30 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.175 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.209 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.7 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.88 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.140 (exc)
linux linux_kernel From 4.19 (inc) to 5.10.258 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's framebuffer driver (udlfb) where the mmap operation does not set vm_ops on the virtual memory area (VMA). Because of this, the kernel cannot track active memory mappings.

When the framebuffer backing buffer is replaced, existing memory mappings are not invalidated. If a USB device disconnects, the old framebuffer pages are freed while userspace processes still have read/write access to those freed pages, causing a use-after-free condition.

The fix involves adding vm_operations_struct with open and close callbacks to maintain a count of active mappings, preventing the buffer from being replaced while it is still mapped by userspace.

Impact Analysis

This vulnerability can allow a userspace process to retain read and write access to kernel memory pages that have already been freed.

Such use-after-free conditions can lead to memory corruption, potential privilege escalation, or arbitrary code execution within the kernel context, depending on how the freed memory is reused.

Mitigation Strategies

The vulnerability is caused by the lack of vm_ops on the VMA in the udlfb framebuffer driver, which allows use-after-free when the framebuffer is replaced while still mapped by userspace.

To mitigate this vulnerability, update the Linux kernel to a version where the fix is applied. The fix involves adding vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on the framebuffer data structure, and preventing framebuffer replacement if it is currently mapped (returning -EBUSY).

  • Apply the kernel patch that adds vm_ops to dlfb_ops_mmap.
  • Avoid replacing the framebuffer buffer while it is mapped by userspace.
  • If updating the kernel immediately is not possible, avoid USB disconnects or framebuffer reallocations that trigger the vulnerable code.
Detection Guidance

This vulnerability involves a use-after-free condition in the Linux kernel's udlfb framebuffer driver when handling mmap operations and USB disconnect events. Detection would involve monitoring for processes that have active memory mappings to the framebuffer device while it is being reallocated or disconnected.

Since the vulnerability is related to the udlfb framebuffer driver and its mmap usage, you can check for processes that have the framebuffer device mapped by inspecting /proc/<pid>/maps or using tools like lsof.

  • Use lsof to find processes with the framebuffer device open: lsof /dev/fb*
  • Check memory mappings of processes for framebuffer device pages: grep -r fb /proc/*/maps
  • Monitor kernel logs for messages related to dlfb_realloc_framebuffer or USB disconnect events that might indicate attempts to reallocate or free framebuffer memory.

However, no specific detection commands or signatures are provided in the available information.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43497. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart