CVE-2026-43232 - Vulnerability Details

- net: wan: farsync: Fix use-after-free bugs caused by unfinished tasklets

Description

In the Linux kernel, the following vulnerability has been resolved:

net: wan: farsync: Fix use-after-free bugs caused by unfinished tasklets

When the FarSync T-series card is being detached, the fst_card_info is
deallocated in fst_remove_one(). However, the fst_tx_task or fst_int_task
may still be running or pending, leading to use-after-free bugs when the
already freed fst_card_info is accessed in fst_process_tx_work_q() or
fst_process_int_work_q().

A typical race condition is depicted below:

CPU 0 (cleanup) | CPU 1 (tasklet)
| fst_start_xmit()
fst_remove_one() | tasklet_schedule()
unregister_hdlc_device()|
| fst_process_tx_work_q() //handler
kfree(card) //free | do_bottom_half_tx()
| card-> //use

The following KASAN trace was captured:

==================================================================
BUG: KASAN: slab-use-after-free in do_bottom_half_tx+0xb88/0xd00
Read of size 4 at addr ffff88800aad101c by task ksoftirqd/3/32
...
Call Trace:
<IRQ>
dump_stack_lvl+0x55/0x70
print_report+0xcb/0x5d0
? do_bottom_half_tx+0xb88/0xd00
kasan_report+0xb8/0xf0
? do_bottom_half_tx+0xb88/0xd00
do_bottom_half_tx+0xb88/0xd00
? _raw_spin_lock_irqsave+0x85/0xe0
? __pfx__raw_spin_lock_irqsave+0x10/0x10
? __pfx___hrtimer_run_queues+0x10/0x10
fst_process_tx_work_q+0x67/0x90
tasklet_action_common+0x1fa/0x720
? hrtimer_interrupt+0x31f/0x780
handle_softirqs+0x176/0x530
__irq_exit_rcu+0xab/0xe0
sysvec_apic_timer_interrupt+0x70/0x80
...

Allocated by task 41 on cpu 3 at 72.330843s:
kasan_save_stack+0x24/0x50
kasan_save_track+0x17/0x60
__kasan_kmalloc+0x7f/0x90
fst_add_one+0x1a5/0x1cd0
local_pci_probe+0xdd/0x190
pci_device_probe+0x341/0x480
really_probe+0x1c6/0x6a0
__driver_probe_device+0x248/0x310
driver_probe_device+0x48/0x210
__device_attach_driver+0x160/0x320
bus_for_each_drv+0x101/0x190
__device_attach+0x198/0x3a0
device_initial_probe+0x78/0xa0
pci_bus_add_device+0x81/0xc0
pci_bus_add_devices+0x7e/0x190
enable_slot+0x9b9/0x1130
acpiphp_check_bridge.part.0+0x2e1/0x460
acpiphp_hotplug_notify+0x36c/0x3c0
acpi_device_hotplug+0x203/0xb10
acpi_hotplug_work_fn+0x59/0x80
...

Freed by task 41 on cpu 1 at 75.138639s:
kasan_save_stack+0x24/0x50
kasan_save_track+0x17/0x60
kasan_save_free_info+0x3b/0x60
__kasan_slab_free+0x43/0x70
kfree+0x135/0x410
fst_remove_one+0x2ca/0x540
pci_device_remove+0xa6/0x1d0
device_release_driver_internal+0x364/0x530
pci_stop_bus_device+0x105/0x150
pci_stop_and_remove_bus_device+0xd/0x20
disable_slot+0x116/0x260
acpiphp_disable_and_eject_slot+0x4b/0x190
acpiphp_hotplug_notify+0x230/0x3c0
acpi_device_hotplug+0x203/0xb10
acpi_hotplug_work_fn+0x59/0x80
...

The buggy address belongs to the object at ffff88800aad1000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 28 bytes inside of
freed 1024-byte region
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xaad0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x100000000000040(head|node=0|zone=1)
page_type: f5(slab)
raw: 0100000000000040 ffff888007042dc0 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
head: 0100000000000040 ffff888007042dc0 dead000000000122 0000000000000000
head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
head: 0100000000000003 ffffea00002ab401 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff88800aad0f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88800aad0f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88800aad1000: fa fb
---truncated---

Published: 2026-05-06

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a use‑after‑free in the Linux kernel network driver. When a FarSync T‑series card is detached, the device structure is freed while related tasklets may still execute. If a tasklet accesses the freed structure, the kernel can dereference invalid memory, causing a crash, memory corruption or, potentially, arbitrary code execution. The weakness involves a race condition (CWE‑364) that results in a use‑after‑free (CWE‑416). The primary impact is kernel denial of service and the possibility of privilege escalation if the attacker can influence the contents of freed memory.

Affected Systems

This issue affects the Linux operating system kernel. All kernel builds that include the net:wan:farsync module are potentially vulnerable. No specific version range is announced, so any kernel that has not yet incorporated the advisory commit is at risk.

Risk and Exploitability

The CVSS score of 8.8 indicates a high risk, while the EPSS score is < 1%. The vulnerability is not listed in CISA KEV, indicating no known public exploits yet. Based on the description, it is inferred that the attacker must trigger a race between card detachment and pending tasklets, which can be achieved by manipulating PCI hot‑plug or by sending specialized traffic to the driver. The combination of a race condition and a use‑after‑free in kernel space is considered high risk because it provides a low‑barrier local or remote code execution path after a triggered race. Given the potential for catastrophic kernel compromise, the overall risk is deemed high.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`51e2d1b84acac39f79cacb60e6e154ce00a9d308`	affected	< cac048ebfbb92d91d719f74b59177cb70a7633b8
`998b4e54f517961d3d75144c088a24423e003005`	affected	< 086131807d119238cd464e5b0845e48d938dfd79
`bb1715a6bfb0c57a68524732a376498a2569f016`	affected	< ae894e47e1cd5a6bf8a0423d888c45df8b2b02dc
`2f623aaf9f31de968dea6169849706a2f9be444c`	affected	< 337d7b4112a47984ee319171b75b73bab47e7924
`2f623aaf9f31de968dea6169849706a2f9be444c`	affected	< 200bdb8d367ca9b478f9c56ebe56411604d55c81
`2f623aaf9f31de968dea6169849706a2f9be444c`	affected	< 21d341fe514fd07e345ed264c9eee21cb2061ca2
`2f623aaf9f31de968dea6169849706a2f9be444c`	affected	< 04edfdfdfcdefc02408ab670607261b0a0a9a02e
`2f623aaf9f31de968dea6169849706a2f9be444c`	affected	< bae8a5d2e759da2e0cba33ab2080deee96a09373
`41798a063fd4721b609e11ad839b6820f5070ca7`	affected	—
`b1fe377b43c405b169cffd1b3aa39c1dde16f3ed`	affected	—
`ce9dc768767bbe73d2dd330a9075e849cb8a84d4`	affected	—
`0c5f2c7700cb18aeab1574588d3bb9c0454bf228`	affected	—
`024d2a7c8ee5bfe14357f20cf1bbbbcc5d228cc9`	affected	—
`5.10.163`	affected	< 5.10.252
`5.15.86`	affected	< 5.15.202
`6.1.2`	affected	< 6.1.165
`4.9.337`	affected	< 4.10
`4.14.303`	affected	< 4.15
`4.19.270`	affected	< 4.20
`5.4.229`	affected	< 5.5
`6.0.16`	affected	< 6.1

Linux

affected

Version	Status	Constraints
`6.2`	affected	—
`0`	unaffected	< 6.2
`5.10.252`	unaffected	≤ 5.10.*
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[51e2d1b84acac39f79cacb60e6e154ce00a9d308,cac048ebfbb92d91d719f74b59177cb70a7633b8)`	affected	code_commit	—
`[998b4e54f517961d3d75144c088a24423e003005,086131807d119238cd464e5b0845e48d938dfd79)`	affected	code_commit	—
`[bb1715a6bfb0c57a68524732a376498a2569f016,ae894e47e1cd5a6bf8a0423d888c45df8b2b02dc)`	affected	code_commit	—
`[2f623aaf9f31de968dea6169849706a2f9be444c,337d7b4112a47984ee319171b75b73bab47e7924)`	affected	code_commit	—
`[2f623aaf9f31de968dea6169849706a2f9be444c,200bdb8d367ca9b478f9c56ebe56411604d55c81)`	affected	code_commit	—
`[2f623aaf9f31de968dea6169849706a2f9be444c,21d341fe514fd07e345ed264c9eee21cb2061ca2)`	affected	code_commit	—
`[2f623aaf9f31de968dea6169849706a2f9be444c,04edfdfdfcdefc02408ab670607261b0a0a9a02e)`	affected	code_commit	—
`[2f623aaf9f31de968dea6169849706a2f9be444c,bae8a5d2e759da2e0cba33ab2080deee96a09373)`	affected	code_commit	—
`[41798a063fd4721b609e11ad839b6820f5070ca7,*]`	affected	code_commit	—
`[b1fe377b43c405b169cffd1b3aa39c1dde16f3ed,*]`	affected	code_commit	—
`[ce9dc768767bbe73d2dd330a9075e849cb8a84d4,*]`	affected	code_commit	—
`[0c5f2c7700cb18aeab1574588d3bb9c0454bf228,*]`	affected	code_commit	—
`[024d2a7c8ee5bfe14357f20cf1bbbbcc5d228cc9,*]`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.2`	affected	semver	—
`[0,6.2)`	unaffected	semver	—
`[5.10.252,5.10.*]`	unaffected	semver	—
`[5.15.202,5.15.*]`	unaffected	semver	—
`[6.1.165,6.1.*]`	unaffected	semver	—
`[6.6.128,6.6.*]`	unaffected	semver	—
`[6.12.75,6.12.*]`	unaffected	semver	—
`[6.18.16,6.18.*]`	unaffected	semver	—
`[6.19.6,6.19.*]`	unaffected	semver	—
`[7.0,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel release that incorporates the net:wan:farsync patch.
If a kernel upgrade is not feasible at this time, disable the FarSync driver or block hot‑plug removal of FarSync devices until a patched kernel is available.
Limit privileged access to the PCI hot‑plug interface and monitor kernel logs for KASAN reports or abnormal tasklet activity as an early warning of the condition.

Generated by OpenCVE AI on May 12, 2026 at 21:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4606-1	linux security update

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00049.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/04edfdfdfcdefc02408ab670607261b0a0a9a02e
https://git.kernel.org/stable/c/086131807d119238cd464e5b0845e48d938dfd79
https://git.kernel.org/stable/c/200bdb8d367ca9b478f9c56ebe56411604d55c81
https://git.kernel.org/stable/c/21d341fe514fd07e345ed264c9eee21cb2061ca2
https://git.kernel.org/stable/c/337d7b4112a47984ee319171b75b73bab47e7924
https://git.kernel.org/stable/c/ae894e47e1cd5a6bf8a0423d888c45df8b2b02dc
https://git.kernel.org/stable/c/bae8a5d2e759da2e0cba33ab2080deee96a09373
https://git.kernel.org/stable/c/cac048ebfbb92d91d719f74b59177cb70a7633b8
https://lore.kernel.org/linux-cve-announce/2026050656-CVE-2026-43232-5dff@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43232
https://www.cve.org/CVERecord?id=CVE-2026-43232

History

Tue, 12 May 2026 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416
CPEs		cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::

Fri, 08 May 2026 13:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Thu, 07 May 2026 04:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416

Thu, 07 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-364
References		https://lore.kernel.org/linux-cve-announce/2026050656-CVE-2026-43232-5dff@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43232 https://www.cve.org/CVERecord?id=CVE-2026-43232

Wed, 06 May 2026 15:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net: wan: farsync: Fix use-after-free bugs caused by unfinished tasklets When the FarSync T-series card is being detached, the fst_card_info is deallocated in fst_remove_one(). However, the fst_tx_task or fst_int_task may still be running or pending, leading to use-after-free bugs when the already freed fst_card_info is accessed in fst_process_tx_work_q() or fst_process_int_work_q(). A typical race condition is depicted below: CPU 0 (cleanup) \| CPU 1 (tasklet) \| fst_start_xmit() fst_remove_one() \| tasklet_schedule() unregister_hdlc_device()\| \| fst_process_tx_work_q() //handler kfree(card) //free \| do_bottom_half_tx() \| card-> //use The following KASAN trace was captured: ================================================================== BUG: KASAN: slab-use-after-free in do_bottom_half_tx+0xb88/0xd00 Read of size 4 at addr ffff88800aad101c by task ksoftirqd/3/32 ... Call Trace: <IRQ> dump_stack_lvl+0x55/0x70 print_report+0xcb/0x5d0 ? do_bottom_half_tx+0xb88/0xd00 kasan_report+0xb8/0xf0 ? do_bottom_half_tx+0xb88/0xd00 do_bottom_half_tx+0xb88/0xd00 ? _raw_spin_lock_irqsave+0x85/0xe0 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? __pfx___hrtimer_run_queues+0x10/0x10 fst_process_tx_work_q+0x67/0x90 tasklet_action_common+0x1fa/0x720 ? hrtimer_interrupt+0x31f/0x780 handle_softirqs+0x176/0x530 __irq_exit_rcu+0xab/0xe0 sysvec_apic_timer_interrupt+0x70/0x80 ... Allocated by task 41 on cpu 3 at 72.330843s: kasan_save_stack+0x24/0x50 kasan_save_track+0x17/0x60 __kasan_kmalloc+0x7f/0x90 fst_add_one+0x1a5/0x1cd0 local_pci_probe+0xdd/0x190 pci_device_probe+0x341/0x480 really_probe+0x1c6/0x6a0 __driver_probe_device+0x248/0x310 driver_probe_device+0x48/0x210 __device_attach_driver+0x160/0x320 bus_for_each_drv+0x101/0x190 __device_attach+0x198/0x3a0 device_initial_probe+0x78/0xa0 pci_bus_add_device+0x81/0xc0 pci_bus_add_devices+0x7e/0x190 enable_slot+0x9b9/0x1130 acpiphp_check_bridge.part.0+0x2e1/0x460 acpiphp_hotplug_notify+0x36c/0x3c0 acpi_device_hotplug+0x203/0xb10 acpi_hotplug_work_fn+0x59/0x80 ... Freed by task 41 on cpu 1 at 75.138639s: kasan_save_stack+0x24/0x50 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kfree+0x135/0x410 fst_remove_one+0x2ca/0x540 pci_device_remove+0xa6/0x1d0 device_release_driver_internal+0x364/0x530 pci_stop_bus_device+0x105/0x150 pci_stop_and_remove_bus_device+0xd/0x20 disable_slot+0x116/0x260 acpiphp_disable_and_eject_slot+0x4b/0x190 acpiphp_hotplug_notify+0x230/0x3c0 acpi_device_hotplug+0x203/0xb10 acpi_hotplug_work_fn+0x59/0x80 ... The buggy address belongs to the object at ffff88800aad1000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 28 bytes inside of freed 1024-byte region The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xaad0 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x100000000000040(head\|node=0\|zone=1) page_type: f5(slab) raw: 0100000000000040 ffff888007042dc0 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 head: 0100000000000040 ffff888007042dc0 dead000000000122 0000000000000000 head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 head: 0100000000000003 ffffea00002ab401 00000000ffffffff 00000000ffffffff head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88800aad0f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88800aad0f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88800aad1000: fa fb ---truncated---
Title		net: wan: farsync: Fix use-after-free bugs caused by unfinished tasklets
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/04edfdfdfcdefc02408ab670607261b0a0a9a02e https://git.kernel.org/stable/c/086131807d119238cd464e5b0845e48d938dfd79 https://git.kernel.org/stable/c/200bdb8d367ca9b478f9c56ebe56411604d55c81 https://git.kernel.org/stable/c/21d341fe514fd07e345ed264c9eee21cb2061ca2 https://git.kernel.org/stable/c/337d7b4112a47984ee319171b75b73bab47e7924 https://git.kernel.org/stable/c/ae894e47e1cd5a6bf8a0423d888c45df8b2b02dc https://git.kernel.org/stable/c/bae8a5d2e759da2e0cba33ab2080deee96a09373 https://git.kernel.org/stable/c/cac048ebfbb92d91d719f74b59177cb70a7633b8

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:28:28.910Z

Updated: 2026-05-23T16:06:31.895Z

Reserved: 2026-05-01T14:12:55.995Z

Link: CVE-2026-43232

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-06T12:16:43.223

Modified: 2026-05-12T19:08:04.757

Link: CVE-2026-43232

Redhat

Severity :

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43232 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-12T21:45:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object