7.3
CVE-2026-43497
- EPSS 0.01%
- Veröffentlicht 21.05.2026 12:12:47
- Zuletzt bearbeitet 01.06.2026 17:17:05
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free
In the Linux kernel, the following vulnerability has been resolved: fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_ops on the VMA. This means the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() replaces the backing buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages. Add vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs. Tested with PoC using dummy_hcd + raw_gadget USB device emulation.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
≫
Produkt
Linux
Default Statusunaffected
Version
7433914efd584b22bb49d3e1eee001f5d0525ecd
Version <
60f711cfd580f86fea8284146ac133804e728f9a
Status
affected
Version
7433914efd584b22bb49d3e1eee001f5d0525ecd
Version <
5931f5651ee32bd41b3323256b31fcc8e71336ed
Status
affected
Version
7433914efd584b22bb49d3e1eee001f5d0525ecd
Version <
e3d9865dacd7435b8465848428210d0f0c673311
Status
affected
Version
7433914efd584b22bb49d3e1eee001f5d0525ecd
Version <
4f312c30f0368e8d2a76aa650dff73f23490b5e7
Status
affected
Version
7433914efd584b22bb49d3e1eee001f5d0525ecd
Version <
18dd358de72d57993422cbb5dfb29ccd74efe192
Status
affected
Version
7433914efd584b22bb49d3e1eee001f5d0525ecd
Version <
da9b065cedfd3b574f229d5be594e6aa47a27ae6
Status
affected
Version
7433914efd584b22bb49d3e1eee001f5d0525ecd
Version <
a2c53a3822ee26e8d758071815b9ed3bf6669fc1
Status
affected
Version
7433914efd584b22bb49d3e1eee001f5d0525ecd
Version <
8de779dc40d35d39fa07387b6f921eb11df0f511
Status
affected
HerstellerLinux
≫
Produkt
Linux
Default Statusaffected
Version
4.19
Status
affected
Version
0
Version <
4.19
Status
unaffected
Version <=
5.10.*
Version
5.10.258
Status
unaffected
Version <=
5.15.*
Version
5.15.209
Status
unaffected
Version <=
6.1.*
Version
6.1.175
Status
unaffected
Version <=
6.6.*
Version
6.6.140
Status
unaffected
Version <=
6.12.*
Version
6.12.88
Status
unaffected
Version <=
6.18.*
Version
6.18.30
Status
unaffected
Version <=
7.0.*
Version
7.0.7
Status
unaffected
Version <=
*
Version
7.1-rc3
Status
unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.01% | 0.019 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 7.3 | 1.3 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
|