CVE-2026-43497

Advisory lineage Upstream: 0 Downstream: 5

Downstream

DEBIAN-CVE-2026-43497 MGASA-2026-0174 MGASA-2026-0177 OPENSUSE-SU-2026:10859-1 UBUNTU-CVE-2026-43497

Awaiting Analysis

Published: 21 May 2026, 12:12

Last modified:14 Jun 2026, 17:45

Vulnerability Summary

Overall Risk (default)

medium

29/100

CVSS Score

7.3 HIGH

v3.1 (cve.org)

EPSS Score

0.11% LOW

0% probability +0.10%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

21 May 2026, 12:12

Published

Vulnerability first disclosed

14 Jun 2026, 17:45

Last Modified

Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_ops on the VMA. This means the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() replaces the backing buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages. Add vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs. Tested with PoC using dummy_hcd + raw_gadget USB device emulation.

CVSS Metrics

v3.1•HIGH•Score: 7.3CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.11%• Percentile: 2%

Affected Systems

linux•linux
≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < 4f312c30f0368e8d2a76aa650dff73f23490b5e7 | ≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < 18dd358de72d57993422cbb5dfb29ccd74efe192 | ≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < da9b065cedfd3b574f229d5be594e6aa47a27ae6 | ≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < a2c53a3822ee26e8d758071815b9ed3bf6669fc1 | ≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < 8de779dc40d35d39fa07387b6f921eb11df0f511 | ≥ 7433914efd584b22bb49d3e1eee001f5d0525ecd, < 60f711cfd580f86fea8284146ac133804e728f9a | ≥ 7433914efd584b22bb49d3e1eee001f5d0525ecd, < 5931f5651ee32bd41b3323256b31fcc8e71336ed | ≥ 7433914efd584b22bb49d3e1eee001f5d0525ecd, < e3d9865dacd7435b8465848428210d0f0c673311 | ≥ 7433914efd584b22bb49d3e1eee001f5d0525ecd, < 4f312c30f0368e8d2a76aa650dff73f23490b5e7 | ≥ 7433914efd584b22bb49d3e1eee001f5d0525ecd, < 18dd358de72d57993422cbb5dfb29ccd74efe192 | ≥ 7433914efd584b22bb49d3e1eee001f5d0525ecd, < da9b065cedfd3b574f229d5be594e6aa47a27ae6 | ≥ 7433914efd584b22bb49d3e1eee001f5d0525ecd, < a2c53a3822ee26e8d758071815b9ed3bf6669fc1 | ≥ 7433914efd584b22bb49d3e1eee001f5d0525ecd, < 8de779dc40d35d39fa07387b6f921eb11df0f511 | 4.19