CVE-2026-43203 - Vulnerability Details

- atm: fore200e: fix use-after-free in tasklets during device removal

Description

In the Linux kernel, the following vulnerability has been resolved:

atm: fore200e: fix use-after-free in tasklets during device removal

When the PCA-200E or SBA-200E adapter is being detached, the fore200e
is deallocated. However, the tx_tasklet or rx_tasklet may still be running
or pending, leading to use-after-free bug when the already freed fore200e
is accessed again in fore200e_tx_tasklet() or fore200e_rx_tasklet().

One of the race conditions can occur as follows:

CPU 0 (cleanup) | CPU 1 (tasklet)
fore200e_pca_remove_one() | fore200e_interrupt()
fore200e_shutdown() | tasklet_schedule()
kfree(fore200e) | fore200e_tx_tasklet()
| fore200e-> // UAF

Fix this by ensuring tx_tasklet or rx_tasklet is properly canceled before
the fore200e is released. Add tasklet_kill() in fore200e_shutdown() to
synchronize with any pending or running tasklets. Moreover, since
fore200e_reset() could prevent further interrupts or data transfers,
the tasklet_kill() should be placed after fore200e_reset() to prevent
the tasklet from being rescheduled in fore200e_interrupt(). Finally,
it only needs to do tasklet_kill() when the fore200e state is greater
than or equal to FORE200E_STATE_IRQ, since tasklets are uninitialized
in earlier states. In a word, the tasklet_kill() should be placed in
the FORE200E_STATE_IRQ branch within the switch...case structure.

This bug was identified through static analysis.

Published: 2026-05-06

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel, a use‑after‑free bug was discovered in the fore200e ATM driver. When a PCA‑200E or SBA‑200E adapter is detached, the driver structure is freed while an associated tasklet may still be scheduled or running. The tasklet then accesses the freed memory, leading to undefined behaviour. This flaw corresponds to a use‑after‑free (CWE‑416) vulnerability, which can potentially be exploited to alter kernel memory or crash the system, effectively allowing privilege escalation or denial of service.

Affected Systems

The vulnerability affects all Linux kernel builds that include the fore200e driver for the PCA‑200E and SBA‑200E adapters. The specific kernel versions are not listed in the advisory, so any affected release prior to the fix may be impacted. Systems that employ the fore200e driver and allow dynamic removal of the hardware are at risk.

Risk and Exploitability

Exploit requires a local privileged user capable of removing the PCA‑200E or SBA‑200E adapter while the kernel is handling I/O, making the attack vector a local user attack. The CVSS score of 7.5 reflects a high severity vulnerability, and an EPSS score of < 1% indicates a low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog, suggesting no known active exploitation campaigns. Nonetheless, potential for kernel crash or arbitrary code execution warrants rapid remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 91f25749aaf57c47ae1e12478144e6ea8c8562f2
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 73fbc5d1a9ccb626937500bbd67136f077d8237b
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< aba0b4bc09376dfc3d53c826514fe38fc8337f52
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< e075ec9b08f862dade8011481058f7eb5f716c57
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 97900f512252a59f23d6ce4ab215cc88fed66e68
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< e4ff4e3ffcf9d5aad380cdd1d8cdc008bb34f97d
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 5189368f10903956be05062d160b2804bf5e5016
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 8930878101cd40063888a68af73b1b0f8b6c79bc

Linux

affected

Version	Status	Constraints
`2.6.12`	affected	—
`0`	unaffected	< 2.6.12
`5.10.252`	unaffected	≤ 5.10.*
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:-::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:rc2::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:rc3::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:rc4::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:rc5::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,91f25749aaf57c47ae1e12478144e6ea8c8562f2)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,73fbc5d1a9ccb626937500bbd67136f077d8237b)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,aba0b4bc09376dfc3d53c826514fe38fc8337f52)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,e075ec9b08f862dade8011481058f7eb5f716c57)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,97900f512252a59f23d6ce4ab215cc88fed66e68)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,e4ff4e3ffcf9d5aad380cdd1d8cdc008bb34f97d)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,5189368f10903956be05062d160b2804bf5e5016)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,8930878101cd40063888a68af73b1b0f8b6c79bc)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.12`	affected	semver	—
`[0,2.6.12)`	unaffected	semver	—
`[5.10.252,5.11.0)`	unaffected	semver	—
`[5.15.202,5.16.0)`	unaffected	semver	—
`[6.1.165,6.2.0)`	unaffected	semver	—
`[6.6.128,6.7.0)`	unaffected	semver	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that includes the tasklet_kill fix for the fore200e driver.
If an immediate update is not available, avoid removing the PCA‑200E or SBA‑200E adapter during normal operation; perform removal only during controlled shutdown or reboot.
Monitor system logs for "panic" or "oops" messages related to the fore200e driver and apply patches promptly.
Ensure that any custom kernel modules that interact with the fore200e driver are built against the updated kernel to maintain compatibility.

Generated by OpenCVE AI on May 11, 2026 at 22:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00049.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/5189368f10903956be05062d160b2804bf5e5016
https://git.kernel.org/stable/c/73fbc5d1a9ccb626937500bbd67136f077d8237b
https://git.kernel.org/stable/c/8930878101cd40063888a68af73b1b0f8b6c79bc
https://git.kernel.org/stable/c/91f25749aaf57c47ae1e12478144e6ea8c8562f2
https://git.kernel.org/stable/c/97900f512252a59f23d6ce4ab215cc88fed66e68
https://git.kernel.org/stable/c/aba0b4bc09376dfc3d53c826514fe38fc8337f52
https://git.kernel.org/stable/c/e075ec9b08f862dade8011481058f7eb5f716c57
https://git.kernel.org/stable/c/e4ff4e3ffcf9d5aad380cdd1d8cdc008bb34f97d
https://lore.kernel.org/linux-cve-announce/2026050646-CVE-2026-43203-6705@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43203
https://www.cve.org/CVERecord?id=CVE-2026-43203

History

Mon, 11 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416
CPEs		cpe:2.3:o:linux:linux_kernel:2.6.12:-:::::: cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:::::: cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:::::: cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:::::: cpe:2.3:o:linux:linux_kernel:2.6.12:rc5::::::

Fri, 08 May 2026 13:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Thu, 07 May 2026 04:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416

Thu, 07 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-825
References		https://lore.kernel.org/linux-cve-announce/2026050646-CVE-2026-43203-6705@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43203 https://www.cve.org/CVERecord?id=CVE-2026-43203

Wed, 06 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: atm: fore200e: fix use-after-free in tasklets during device removal When the PCA-200E or SBA-200E adapter is being detached, the fore200e is deallocated. However, the tx_tasklet or rx_tasklet may still be running or pending, leading to use-after-free bug when the already freed fore200e is accessed again in fore200e_tx_tasklet() or fore200e_rx_tasklet(). One of the race conditions can occur as follows: CPU 0 (cleanup) \| CPU 1 (tasklet) fore200e_pca_remove_one() \| fore200e_interrupt() fore200e_shutdown() \| tasklet_schedule() kfree(fore200e) \| fore200e_tx_tasklet() \| fore200e-> // UAF Fix this by ensuring tx_tasklet or rx_tasklet is properly canceled before the fore200e is released. Add tasklet_kill() in fore200e_shutdown() to synchronize with any pending or running tasklets. Moreover, since fore200e_reset() could prevent further interrupts or data transfers, the tasklet_kill() should be placed after fore200e_reset() to prevent the tasklet from being rescheduled in fore200e_interrupt(). Finally, it only needs to do tasklet_kill() when the fore200e state is greater than or equal to FORE200E_STATE_IRQ, since tasklets are uninitialized in earlier states. In a word, the tasklet_kill() should be placed in the FORE200E_STATE_IRQ branch within the switch...case structure. This bug was identified through static analysis.
Title		atm: fore200e: fix use-after-free in tasklets during device removal
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/5189368f10903956be05062d160b2804bf5e5016 https://git.kernel.org/stable/c/73fbc5d1a9ccb626937500bbd67136f077d8237b https://git.kernel.org/stable/c/8930878101cd40063888a68af73b1b0f8b6c79bc https://git.kernel.org/stable/c/91f25749aaf57c47ae1e12478144e6ea8c8562f2 https://git.kernel.org/stable/c/97900f512252a59f23d6ce4ab215cc88fed66e68 https://git.kernel.org/stable/c/aba0b4bc09376dfc3d53c826514fe38fc8337f52 https://git.kernel.org/stable/c/e075ec9b08f862dade8011481058f7eb5f716c57 https://git.kernel.org/stable/c/e4ff4e3ffcf9d5aad380cdd1d8cdc008bb34f97d

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:28:08.949Z

Updated: 2026-05-11T22:19:58.630Z

Reserved: 2026-05-01T14:12:55.992Z

Link: CVE-2026-43203

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-06T12:16:39.477

Modified: 2026-05-11T20:10:27.037

Link: CVE-2026-43203

Redhat

Severity :

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43203 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-11T23:00:19Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object