Description
In the Linux kernel, the following vulnerability has been resolved:

iavf: fix PTP use-after-free during reset

Commit 7c01dbfc8a1c5f ("iavf: periodically cache PHC time") introduced a
worker to cache PHC time, but failed to stop it during reset or disable.

This creates a race condition where `iavf_reset_task()` or
`iavf_disable_vf()` free adapter resources (AQ) while the worker is still
running. If the worker triggers `iavf_queue_ptp_cmd()` during teardown, it
accesses freed memory/locks, leading to a crash.

Fix this by calling `iavf_ptp_release()` before tearing down the adapter.
This ensures `ptp_clock_unregister()` synchronously cancels the worker and
cleans up the chardev before the backing resources are destroyed.
Published: 2026-05-08
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition between the periodic PHC time caching worker in the iavf driver and the adapter reset or disable routines can cause a use‑after‑free. When the worker faults while the adapter is being torn down, it dereferences freed memory, leading to a kernel panic and a system crash. The resulting loss of service is a local denial of service that affects any process or user that relies on the affected network interface.

Affected Systems

The vulnerability affects all Linux kernel builds that include the iavf driver before the commit that introduced the fix (commit 7c01dbf). It applies to all Linux kernel vendors, regardless of distribution. No specific version range is listed; the issue is present in any kernel that incorporates the unpatched code.

Risk and Exploitability

The vulnerability has a CVSS score of 7.0 and no publicly available EPSS score. It is not listed in CISA's KEV catalog. The exploit requires local privilege access to trigger an adapter reset or disable operation, which is an inferred prerequisite. Without such access, an attacker cannot easily trigger the crash. Based on the available data, the risk is considered low to moderate, but the denial of service impact warrants timely remediation.

Generated by OpenCVE AI on May 9, 2026 at 04:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel replacement that includes the iavf patch from commit 7c01dbfc8a1c5f or later.
  • If a kernel update is not immediately feasible, avoid resetting or disabling the iavf adapter on affected systems, and refrain from using PTP functions that rely on the caching worker until the patch is applied.
  • Monitor kernel logs for “iavf” or “ptp” errors, and consider disabling PTP support in the driver configuration as a temporary workaround if the problem persists.

Generated by OpenCVE AI on May 9, 2026 at 04:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 03:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 08 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: iavf: fix PTP use-after-free during reset Commit 7c01dbfc8a1c5f ("iavf: periodically cache PHC time") introduced a worker to cache PHC time, but failed to stop it during reset or disable. This creates a race condition where `iavf_reset_task()` or `iavf_disable_vf()` free adapter resources (AQ) while the worker is still running. If the worker triggers `iavf_queue_ptp_cmd()` during teardown, it accesses freed memory/locks, leading to a crash. Fix this by calling `iavf_ptp_release()` before tearing down the adapter. This ensures `ptp_clock_unregister()` synchronously cancels the worker and cleans up the chardev before the backing resources are destroyed.
Title iavf: fix PTP use-after-free during reset
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-08T14:22:13.988Z

Reserved: 2026-05-01T14:12:56.010Z

Link: CVE-2026-43447

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T15:16:57.217

Modified: 2026-05-08T15:16:57.217

Link: CVE-2026-43447

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43447 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T05:00:10Z

Weaknesses