CVE-2026-43138 - Vulnerability Details

- reset: gpio: suppress bind attributes in sysfs

Description

In the Linux kernel, the following vulnerability has been resolved:

reset: gpio: suppress bind attributes in sysfs

This is a special device that's created dynamically and is supposed to
stay in memory forever. We also currently don't have a devlink between
it and the actual reset consumer. Suppress sysfs bind attributes so that
user-space can't unbind the device because - as of now - it will cause a
use-after-free splat from any user that puts the reset control handle.

Published: 2026-05-06

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s reset GPIO driver creates a dynamic device that is meant to persist in memory. The driver exposes sysfs bind attributes, allowing user space to unbind the device. If an attacker unbinds it, the kernel dereferences freed memory, resulting in a use‑after‑free condition. This can corrupt data, crash the kernel, or provide a foothold for arbitrary code execution. The underlying weakness is a use‑after‑free condition (CWE‑416), compounded by improper event handling (CWE‑825).

Affected Systems

All Linux kernel builds that contain the unprotected reset GPIO sysfs bind attributes are affected. This includes any release prior to the patch that suppresses those attributes; there is no vendor‑specific restriction since the vulnerability resides in the core kernel code.

Risk and Exploitability

Exploitation requires the ability to write to the sysfs bind attribute, which typically demands local user privileges and access to the device’s directory under /sys. The attack vector is inferred from the description of unbinding the device via user space. The CVSS score is 7.8, and the EPSS score is <1%, indicating a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. As a result, the risk remains limited to local users with write access to the reset device’s sysfs directory; remote exploitation without additional privilege escalation remains unlikely.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`cee544a40e4426040946e685988b1489f13e6600`	affected	< 09d6efc6abd42809956d598906c222ccd1c8ae92
`cee544a40e4426040946e685988b1489f13e6600`	affected	< 76801c3dfca0ac6339a23e9615b5f23e25b8644c
`cee544a40e4426040946e685988b1489f13e6600`	affected	< 1d7d869f074f98c34fe23f6a56e5f3acc1f95a2b
`cee544a40e4426040946e685988b1489f13e6600`	affected	< 16de4c6a8fe9ff497ca1aba33ef0dbee09f11952

Linux

affected

Version	Status	Constraints
`6.9`	affected	—
`0`	unaffected	< 6.9
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[cee544a40e4426040946e685988b1489f13e6600,09d6efc6abd42809956d598906c222ccd1c8ae92)`	affected	code_commit	—
`[cee544a40e4426040946e685988b1489f13e6600,76801c3dfca0ac6339a23e9615b5f23e25b8644c)`	affected	code_commit	—
`[cee544a40e4426040946e685988b1489f13e6600,1d7d869f074f98c34fe23f6a56e5f3acc1f95a2b)`	affected	code_commit	—
`[cee544a40e4426040946e685988b1489f13e6600,16de4c6a8fe9ff497ca1aba33ef0dbee09f11952)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.9`	affected	semver	—
`[0,6.9)`	unaffected	semver	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the kernel to a build that includes the patch suppressing reset GPIO sysfs bind attributes.
Verify that the reset GPIO device’s sysfs directory no longer exposes bind attributes and that write access is removed for non‑privileged users.
If an immediate kernel upgrade is not possible, apply strict filesystem permissions or enforce SELinux/AppArmor policies to deny write access to any bind attribute under the reset device’s sysfs path.

Generated by OpenCVE AI on May 12, 2026 at 23:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/09d6efc6abd42809956d598906c222ccd1c8ae92
https://git.kernel.org/stable/c/16de4c6a8fe9ff497ca1aba33ef0dbee09f11952
https://git.kernel.org/stable/c/1d7d869f074f98c34fe23f6a56e5f3acc1f95a2b
https://git.kernel.org/stable/c/76801c3dfca0ac6339a23e9615b5f23e25b8644c
https://lore.kernel.org/linux-cve-announce/2026050624-CVE-2026-43138-ccd2@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43138
https://www.cve.org/CVERecord?id=CVE-2026-43138

History

Tue, 12 May 2026 21:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 07 May 2026 03:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416

Thu, 07 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-825
References		https://lore.kernel.org/linux-cve-announce/2026050624-CVE-2026-43138-ccd2@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43138 https://www.cve.org/CVERecord?id=CVE-2026-43138

Wed, 06 May 2026 16:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: reset: gpio: suppress bind attributes in sysfs This is a special device that's created dynamically and is supposed to stay in memory forever. We also currently don't have a devlink between it and the actual reset consumer. Suppress sysfs bind attributes so that user-space can't unbind the device because - as of now - it will cause a use-after-free splat from any user that puts the reset control handle.
Title		reset: gpio: suppress bind attributes in sysfs
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/09d6efc6abd42809956d598906c222ccd1c8ae92 https://git.kernel.org/stable/c/16de4c6a8fe9ff497ca1aba33ef0dbee09f11952 https://git.kernel.org/stable/c/1d7d869f074f98c34fe23f6a56e5f3acc1f95a2b https://git.kernel.org/stable/c/76801c3dfca0ac6339a23e9615b5f23e25b8644c

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:27:24.232Z

Updated: 2026-05-11T22:18:29.633Z

Reserved: 2026-05-01T14:12:55.988Z

Link: CVE-2026-43138

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-06T12:16:31.117

Modified: 2026-05-12T21:11:43.943

Link: CVE-2026-43138

Redhat

Severity :

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43138 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-12T23:15:27Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object