DEBIAN-CVE-2026-43497

Advisory lineage Upstream: 1 Downstream: 0
Upstream
CVE-2026-43497
Published: 21 May 2026, 13:16
Last modified:15 Jun 2026, 09:00

Vulnerability Summary

Overall Risk (default)
medium
29/100
CVSS Score
7.3 HIGH
3.1 (osv_debian)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

21 May 2026, 13:16
Published
Vulnerability first disclosed
15 Jun 2026, 09:00
Last Modified
Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_ops on the VMA. This means the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() replaces the backing buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages. Add vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs. Tested with PoC using dummy_hcd + raw_gadget USB device emulation.

CVSS Metrics

  • v3.1HIGHScore: 7.3CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Affected Systems

  • debianlinux

    all | all | < 6.12.88-1 | < 7.0.7-1

References (1)