CVE-2026-43440 - Vulnerability Details

- net/mana: Null service_wq on setup error to prevent double destroy

Description

In the Linux kernel, the following vulnerability has been resolved:

net/mana: Null service_wq on setup error to prevent double destroy

In mana_gd_setup() error path, set gc->service_wq to NULL after
destroy_workqueue() to match the cleanup in mana_gd_cleanup().
This prevents a use-after-free if the workqueue pointer is checked
after a failed setup.

Published: 2026-05-08

Score: 7.0 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the Linux kernel’s mana driver can leave the data‑structure field service_wq pointing to freed memory during an error path in mana_gd_setup(). If the field is accessed after a failed setup, a use‑after‑free can occur, potentially causing a kernel panic or allowing an attacker to execute code in kernel mode. The weakness is a classic use‑after‑free scenario (CWE‑825), and the kernel‑level nature of the defect makes any successful exploitation highly damaging to system integrity and availability.

Affected Systems

The issue exists in any Linux kernel that compiles the mana driver, regardless of the major kernel release. All builds that contain the buggy mana_gd_setup() code before the patch are considered vulnerable. Distribution maintainers or custom kernel builds that have not applied the commit adding the null assignment remain at risk until an updated kernel is deployed.

Risk and Exploitability

The CVSS score of 7.0 reflects a high‑severity use‑after‑free in the kernel. The EPSS score is 0.00017, and the vulnerability is not listed in the CISA KEV catalog, indicating no widespread public exploitation known. Exploitation would require a local attacker with the ability to trigger the failed setup path, such as loading a malicious kernel module or executing code with sufficient privileges to manipulate the driver. Once the patch is applied, the fault is eliminated by nulling the workqueue pointer and preventing a double destroy.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`fa3c2f8d9152344a478abb847081c1b5f84a94f5`	affected	< 59489ce60d7412ed82fb1d8002faa3102dcd4916
`a9a7c3203fdc4d4a8d8a7a3b1ed05d2bb4c6e77e`	affected	< 6c92392602b451e3869f15ab685f8f650e942b13
`f975a0955276579e2176a134366ed586071c7c6a`	affected	< 87c2302813abc55c46485711a678e3c312b00666

Linux

unaffected

Version	Status	Constraints
`6.18.16`	affected	< 6.18.19
`6.19.6`	affected	< 6.19.9

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[fa3c2f8d9152344a478abb847081c1b5f84a94f5,59489ce60d7412ed82fb1d8002faa3102dcd4916)`	affected	code_commit	—
`[a9a7c3203fdc4d4a8d8a7a3b1ed05d2bb4c6e77e,6c92392602b451e3869f15ab685f8f650e942b13)`	affected	code_commit	—
`[f975a0955276579e2176a134366ed586071c7c6a,87c2302813abc55c46485711a678e3c312b00666)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.18.16,6.18.19)`	affected	semver	—
`[6.19.6,6.19.9)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel update that includes the commit adding the null assignment to service_wq (e.g., commit 59489ce60d7412ed82fb1d8002faa3102dcd4916) or any subsequent revision containing the fix.
If immediate updating is not feasible, disable or unload the mana driver until the patch is applied, thereby removing the vulnerable code path from the running kernel.
Enforce strict module‑loading policies so that only trusted, signed modules can be loaded, reducing the chance that a local attacker can trigger the fault on a system where the driver remains present.

Generated by OpenCVE AI on May 9, 2026 at 15:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/59489ce60d7412ed82fb1d8002faa3102dcd4916
https://git.kernel.org/stable/c/6c92392602b451e3869f15ab685f8f650e942b13
https://git.kernel.org/stable/c/87c2302813abc55c46485711a678e3c312b00666
https://lore.kernel.org/linux-cve-announce/2026050854-CVE-2026-43440-e11e@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43440
https://www.cve.org/CVERecord?id=CVE-2026-43440

History

Sat, 09 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416 CWE-590

Sat, 09 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-825
References		https://lore.kernel.org/linux-cve-announce/2026050854-CVE-2026-43440-e11e@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43440 https://www.cve.org/CVERecord?id=CVE-2026-43440
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Fri, 08 May 2026 17:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416 CWE-590

Fri, 08 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net/mana: Null service_wq on setup error to prevent double destroy In mana_gd_setup() error path, set gc->service_wq to NULL after destroy_workqueue() to match the cleanup in mana_gd_cleanup(). This prevents a use-after-free if the workqueue pointer is checked after a failed setup.
Title		net/mana: Null service_wq on setup error to prevent double destroy
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/59489ce60d7412ed82fb1d8002faa3102dcd4916 https://git.kernel.org/stable/c/6c92392602b451e3869f15ab685f8f650e942b13 https://git.kernel.org/stable/c/87c2302813abc55c46485711a678e3c312b00666

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T14:22:09.334Z

Updated: 2026-05-08T14:22:09.334Z

Reserved: 2026-05-01T14:12:56.009Z

Link: CVE-2026-43440

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T15:16:56.420

Modified: 2026-05-08T15:16:56.420

Link: CVE-2026-43440

Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43440 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-09T16:00:13Z

Weaknesses

CWE-825

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object