CVE-2026-43149 - Vulnerability Details

- net: wan/fsl_ucc_hdlc: Fix dma_free_coherent() in uhdlc_memclean()

Description

In the Linux kernel, the following vulnerability has been resolved:

net: wan/fsl_ucc_hdlc: Fix dma_free_coherent() in uhdlc_memclean()

The priv->rx_buffer and priv->tx_buffer are alloc'd together as
contiguous buffers in uhdlc_init() but freed as two buffers in
uhdlc_memclean().

Change the cleanup to only call dma_free_coherent() once on the whole
buffer.

Published: 2026-05-06

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A double free occurs in the fsl_ucc_hdlc driver when the cleanup routine frees a single contiguous buffer twice: once for the receive buffer and again for the transmit buffer. This undefined deallocation corrupts kernel memory and can cause the kernel to crash, resulting in a denial of service. The weakness is a classic double free error (CWE‑416).

Affected Systems

All Linux kernel releases that include the fsl_ucc_hdlc module without the upstream commit are affected. The vulnerable component is the net:wan/fsl_ucc_hdlc subsystem within the Linux kernel.

Risk and Exploitability

The EPSS score is not available, and the vulnerability is not listed in CISA KEV. The severity stems from the fact that a double free in kernel space can trigger an immediate crash. The likely attack vector is local; an attacker must be able to interact with the device driver or force a module unload to trigger the faulty cleanup. No mechanism is documented to achieve code execution, so the primary impact is a denial of service via kernel crash.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`c19b6d246a35627c3a69b2fa6bdece212b48214b`	affected	< 6496fb830cbb741d831225cc4e7e5601c6e42970
`c19b6d246a35627c3a69b2fa6bdece212b48214b`	affected	< ba8d8429e5d6c36f9a654d2b96b9e043c43d92b4
`c19b6d246a35627c3a69b2fa6bdece212b48214b`	affected	< 011ae5dd84dc9f05eb9b8e1adff44252ac776e7b
`c19b6d246a35627c3a69b2fa6bdece212b48214b`	affected	< 0f85a9655445e67bb0238cfc983d7c383b54938e
`c19b6d246a35627c3a69b2fa6bdece212b48214b`	affected	< 84b932bc9899d43e5829e6cf088b72d73a922b2b
`c19b6d246a35627c3a69b2fa6bdece212b48214b`	affected	< d8a522085d09b30aba1016daf1dddac37c0f0285
`c19b6d246a35627c3a69b2fa6bdece212b48214b`	affected	< d68994e37ac3b285692559776e0279a88a3b5f8d
`c19b6d246a35627c3a69b2fa6bdece212b48214b`	affected	< 36bd7d5deef936c4e1e3cd341598140e5c14c1d3

Linux

affected

Version	Status	Constraints
`4.8`	affected	—
`0`	unaffected	< 4.8
`5.10.252`	unaffected	≤ 5.10.*
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[c19b6d246a35627c3a69b2fa6bdece212b48214b,6496fb830cbb741d831225cc4e7e5601c6e42970)`	affected	code_commit	—
`[c19b6d246a35627c3a69b2fa6bdece212b48214b,ba8d8429e5d6c36f9a654d2b96b9e043c43d92b4)`	affected	code_commit	—
`[c19b6d246a35627c3a69b2fa6bdece212b48214b,011ae5dd84dc9f05eb9b8e1adff44252ac776e7b)`	affected	code_commit	—
`[c19b6d246a35627c3a69b2fa6bdece212b48214b,0f85a9655445e67bb0238cfc983d7c383b54938e)`	affected	code_commit	—
`[c19b6d246a35627c3a69b2fa6bdece212b48214b,84b932bc9899d43e5829e6cf088b72d73a922b2b)`	affected	code_commit	—
`[c19b6d246a35627c3a69b2fa6bdece212b48214b,d8a522085d09b30aba1016daf1dddac37c0f0285)`	affected	code_commit	—
`[c19b6d246a35627c3a69b2fa6bdece212b48214b,d68994e37ac3b285692559776e0279a88a3b5f8d)`	affected	code_commit	—
`[c19b6d246a35627c3a69b2fa6bdece212b48214b,36bd7d5deef936c4e1e3cd341598140e5c14c1d3)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.8`	affected	generic	—
`[0,4.8)`	unaffected	generic	—
`[5.10.252,5.11.0)`	unaffected	generic	—
`[5.15.202,5.16.0)`	unaffected	generic	—
`[6.1.165,6.2.0)`	unaffected	generic	—
`[6.6.128,6.7.0)`	unaffected	generic	—
`[6.12.75,6.13.0)`	unaffected	generic	—
`[6.18.16,6.19.0)`	unaffected	generic	—
`[6.19.6,6.20.0)`	unaffected	generic	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel update that includes the upstream patch for the fsl_ucc_hdlc module.
If an update is not available, unload or disable the fsl_ucc_hdlc module to prevent the double free from occurring.
If maintaining a custom kernel branch, backport the upstream commit that corrects the cleanup and rebuild the kernel.

Generated by OpenCVE AI on May 6, 2026 at 17:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/011ae5dd84dc9f05eb9b8e1adff44252ac776e7b
https://git.kernel.org/stable/c/0f85a9655445e67bb0238cfc983d7c383b54938e
https://git.kernel.org/stable/c/36bd7d5deef936c4e1e3cd341598140e5c14c1d3
https://git.kernel.org/stable/c/6496fb830cbb741d831225cc4e7e5601c6e42970
https://git.kernel.org/stable/c/84b932bc9899d43e5829e6cf088b72d73a922b2b
https://git.kernel.org/stable/c/ba8d8429e5d6c36f9a654d2b96b9e043c43d92b4
https://git.kernel.org/stable/c/d68994e37ac3b285692559776e0279a88a3b5f8d
https://git.kernel.org/stable/c/d8a522085d09b30aba1016daf1dddac37c0f0285

History

Wed, 06 May 2026 18:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net: wan/fsl_ucc_hdlc: Fix dma_free_coherent() in uhdlc_memclean() The priv->rx_buffer and priv->tx_buffer are alloc'd together as contiguous buffers in uhdlc_init() but freed as two buffers in uhdlc_memclean(). Change the cleanup to only call dma_free_coherent() once on the whole buffer.
Title		net: wan/fsl_ucc_hdlc: Fix dma_free_coherent() in uhdlc_memclean()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/011ae5dd84dc9f05eb9b8e1adff44252ac776e7b https://git.kernel.org/stable/c/0f85a9655445e67bb0238cfc983d7c383b54938e https://git.kernel.org/stable/c/36bd7d5deef936c4e1e3cd341598140e5c14c1d3 https://git.kernel.org/stable/c/6496fb830cbb741d831225cc4e7e5601c6e42970 https://git.kernel.org/stable/c/84b932bc9899d43e5829e6cf088b72d73a922b2b https://git.kernel.org/stable/c/ba8d8429e5d6c36f9a654d2b96b9e043c43d92b4 https://git.kernel.org/stable/c/d68994e37ac3b285692559776e0279a88a3b5f8d https://git.kernel.org/stable/c/d8a522085d09b30aba1016daf1dddac37c0f0285

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:27:31.708Z

Updated: 2026-05-06T11:27:31.708Z

Reserved: 2026-05-01T14:12:55.989Z

Link: CVE-2026-43149

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:32.553

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43149

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T17:45:08Z

Weaknesses

CWE-416

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object