Description
In the Linux kernel, the following vulnerability has been resolved:

net: mana: fix use-after-free in add_adev() error path

If auxiliary_device_add() fails, add_adev() jumps to add_fail and calls
auxiliary_device_uninit(adev).

The auxiliary device has its release callback set to adev_release(),
which frees the containing struct mana_adev. Since adev is embedded in
struct mana_adev, the subsequent fall-through to init_fail and access
to adev->id may result in a use-after-free.

Fix this by saving the allocated auxiliary device id in a local
variable before calling auxiliary_device_add(), and use that saved id
in the cleanup path after auxiliary_device_uninit().
Published: 2026-05-01
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel net/mana subsystem, a use‑after‑free flaw is triggered when auxiliary_device_add() fails. The error path in add_adev() calls auxiliary_device_uninit(), which invokes the release callback that frees the containing struct mana_adev. After this call the code falls through to init_fail and accesses the freed object's id field, creating a use‑after‑free situation that can corrupt kernel memory and allow an attacker to execute arbitrary code with elevated privileges.

Affected Systems

The vulnerability impacts all Linux kernel versions that include the net/mana code before the countermeasure commit. No specific kernel releases are listed; any unpatched kernel containing this code path is considered vulnerable.

Risk and Exploitability

The CVSS score is 7.8 and the EPSS score is < 1%, indicating moderate severity with a very low probability of exploitation. The flaw is not listed in CISA KEV. Based on the nature of the kernel use‑after‑free, the attack vector is presumed to be local, requiring an attacker to trigger auxiliary_device_add() to fail or otherwise invoke the error path. Successful exploitation would grant the attacker kernel privileges, effectively allowing privilege escalation to root.

Generated by OpenCVE AI on May 7, 2026 at 21:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that corrects the use‑after‑free in add_adev() (refer to the upstream commit references).
  • Upgrade to the latest Linux kernel release that contains the fix, or rebuild the kernel with the patch applied.
  • If a patch or update is not yet available, disable or restrict the use of the net/mana subsystem until the vulnerability is remediated.

Generated by OpenCVE AI on May 7, 2026 at 21:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*

Mon, 04 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Mon, 04 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Important

Sun, 03 May 2026 10:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Sun, 03 May 2026 08:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Sun, 03 May 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 02 May 2026 07:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: mana: fix use-after-free in add_adev() error path If auxiliary_device_add() fails, add_adev() jumps to add_fail and calls auxiliary_device_uninit(adev). The auxiliary device has its release callback set to adev_release(), which frees the containing struct mana_adev. Since adev is embedded in struct mana_adev, the subsequent fall-through to init_fail and access to adev->id may result in a use-after-free. Fix this by saving the allocated auxiliary device id in a local variable before calling auxiliary_device_add(), and use that saved id in the cleanup path after auxiliary_device_uninit().
Title net: mana: fix use-after-free in add_adev() error path
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:16:51.700Z

Reserved: 2026-05-01T14:12:55.980Z

Link: CVE-2026-43056

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T15:16:52.147

Modified: 2026-05-07T19:02:46.660

Link: CVE-2026-43056

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-43056 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:15:11Z

Weaknesses