Description
In the Linux kernel, the following vulnerability has been resolved:

atm: fore200e: fix use-after-free in tasklets during device removal

When the PCA-200E or SBA-200E adapter is being detached, the fore200e
is deallocated. However, the tx_tasklet or rx_tasklet may still be running
or pending, leading to use-after-free bug when the already freed fore200e
is accessed again in fore200e_tx_tasklet() or fore200e_rx_tasklet().

One of the race conditions can occur as follows:

CPU 0 (cleanup) | CPU 1 (tasklet)
fore200e_pca_remove_one() | fore200e_interrupt()
fore200e_shutdown() | tasklet_schedule()
kfree(fore200e) | fore200e_tx_tasklet()
| fore200e-> // UAF

Fix this by ensuring tx_tasklet or rx_tasklet is properly canceled before
the fore200e is released. Add tasklet_kill() in fore200e_shutdown() to
synchronize with any pending or running tasklets. Moreover, since
fore200e_reset() could prevent further interrupts or data transfers,
the tasklet_kill() should be placed after fore200e_reset() to prevent
the tasklet from being rescheduled in fore200e_interrupt(). Finally,
it only needs to do tasklet_kill() when the fore200e state is greater
than or equal to FORE200E_STATE_IRQ, since tasklets are uninitialized
in earlier states. In a word, the tasklet_kill() should be placed in
the FORE200E_STATE_IRQ branch within the switch...case structure.

This bug was identified through static analysis.
Published: 2026-05-06
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel, a use‑after‑free bug was discovered in the fore200e ATM driver. When a PCA‑200E or SBA‑200E adapter is detached, the device structure is freed while an associated tasklet may still be scheduled or running. The tasklet then accesses the freed memory, leading to undefined behaviour. If an attacker can trigger the device removal while the tasklet is pending, they could potentially use the fault to alter kernel memory or crash the system, effectively allowing privilege escalation or denial of service.

Affected Systems

The vulnerability affects all Linux kernel builds that include the fore200e driver for the PCA‑200E and SBA‑200E adapters. The specific kernel versions are not listed in the advisory, so any affected release prior to the fix may be impacted. Systems that employ the fore200e driver and allow dynamic removal of the hardware are at risk.

Risk and Exploitability

Although the CVSS score is not disclosed, use‑after‑free is a high‑severity flaw. Exploitation requires a local privileged user capable of removing the adapter while the kernel is processing I/O, making the attack vector a local user attack. The absence of an EPSS score suggests limited public exploitation data. The flaw is not listed in CISA’s KEV catalog, indicating no known active exploitation campaigns. Nevertheless, the potential for arbitrary code execution or system crash warrants rapid remediation.

Generated by OpenCVE AI on May 6, 2026 at 13:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the tasklet_kill fix for the fore200e driver.
  • If an immediate update is not available, avoid removing the PCA‑200E or SBA‑200E adapter during normal operation; perform removal only during controlled shutdown or reboot.
  • Monitor system logs for “panic” or “oops” messages related to the fore200e driver and apply patches promptly.
  • Ensure that any custom kernel modules that interact with the fore200e driver are built against the updated kernel to maintain compatibility.

Generated by OpenCVE AI on May 6, 2026 at 13:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: atm: fore200e: fix use-after-free in tasklets during device removal When the PCA-200E or SBA-200E adapter is being detached, the fore200e is deallocated. However, the tx_tasklet or rx_tasklet may still be running or pending, leading to use-after-free bug when the already freed fore200e is accessed again in fore200e_tx_tasklet() or fore200e_rx_tasklet(). One of the race conditions can occur as follows: CPU 0 (cleanup) | CPU 1 (tasklet) fore200e_pca_remove_one() | fore200e_interrupt() fore200e_shutdown() | tasklet_schedule() kfree(fore200e) | fore200e_tx_tasklet() | fore200e-> // UAF Fix this by ensuring tx_tasklet or rx_tasklet is properly canceled before the fore200e is released. Add tasklet_kill() in fore200e_shutdown() to synchronize with any pending or running tasklets. Moreover, since fore200e_reset() could prevent further interrupts or data transfers, the tasklet_kill() should be placed after fore200e_reset() to prevent the tasklet from being rescheduled in fore200e_interrupt(). Finally, it only needs to do tasklet_kill() when the fore200e state is greater than or equal to FORE200E_STATE_IRQ, since tasklets are uninitialized in earlier states. In a word, the tasklet_kill() should be placed in the FORE200E_STATE_IRQ branch within the switch...case structure. This bug was identified through static analysis.
Title atm: fore200e: fix use-after-free in tasklets during device removal
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-06T11:28:08.949Z

Reserved: 2026-05-01T14:12:55.992Z

Link: CVE-2026-43203

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:39.477

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43203

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T17:00:05Z

Weaknesses