Description
In the Linux kernel, the following vulnerability has been resolved:

iavf: fix PTP use-after-free during reset

Commit 7c01dbfc8a1c5f ("iavf: periodically cache PHC time") introduced a
worker to cache PHC time, but failed to stop it during reset or disable.

This creates a race condition where `iavf_reset_task()` or
`iavf_disable_vf()` free adapter resources (AQ) while the worker is still
running. If the worker triggers `iavf_queue_ptp_cmd()` during teardown, it
accesses freed memory/locks, leading to a crash.

Fix this by calling `iavf_ptp_release()` before tearing down the adapter.
This ensures `ptp_clock_unregister()` synchronously cancels the worker and
cleans up the chardev before the backing resources are destroyed.
Published: 2026-05-08
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition exists between the periodic PHC time caching worker in the iavf driver and the adapter reset or disable routines. When the worker runs during teardown, it may access freed memory and lock objects, causing a kernel panic that brings the system down. The result is a local denial of service for all users interacting with the affected network interface.

Affected Systems

All Linux kernel builds that contain the iavf driver before the commit that added the patch (7c01dbfc8a1c5f). The vulnerability applies to every distribution that ships an unpatched kernel, because the affected code is part of the core kernel tree. No version range is specified; any kernel with the unpatched code is vulnerable.

Risk and Exploitability

The CVSS severity is 7.8 and the EPSS score is <1 %. It is not listed in CISA’s KEV catalog. The exploit requires the attacker to have local privilege to trigger a reset or disable operation on the iavf adapter; this prerequisite is inferred from the description, as the vulnerability is triggered only during those internal driver actions. Without local privileged access, an attacker cannot easily drive the crash. Consequently, the risk is judged low to moderate, but the resulting denial of service warrants prompt remediation.

Generated by OpenCVE AI on May 21, 2026 at 18:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel replacement that includes the iavf patch (which fixes the Use‑After‑Free flaw, CWE‑416) from commit 7c01dbfc8a1c5f or later.
  • If an immediate kernel update is not possible, avoid resetting or disabling the iavf adapter on affected systems and refrain from using PTP functions that rely on the caching worker until the patch is applied.
  • Monitor kernel logs for "iavf" or "ptp" errors; as a temporary workaround, consider disabling PTP support in the driver configuration if the problem persists.

Generated by OpenCVE AI on May 21, 2026 at 18:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*

Mon, 11 May 2026 07:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 09 May 2026 03:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 08 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: iavf: fix PTP use-after-free during reset Commit 7c01dbfc8a1c5f ("iavf: periodically cache PHC time") introduced a worker to cache PHC time, but failed to stop it during reset or disable. This creates a race condition where `iavf_reset_task()` or `iavf_disable_vf()` free adapter resources (AQ) while the worker is still running. If the worker triggers `iavf_queue_ptp_cmd()` during teardown, it accesses freed memory/locks, leading to a crash. Fix this by calling `iavf_ptp_release()` before tearing down the adapter. This ensures `ptp_clock_unregister()` synchronously cancels the worker and cleans up the chardev before the backing resources are destroyed.
Title iavf: fix PTP use-after-free during reset
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:24:46.053Z

Reserved: 2026-05-01T14:12:56.010Z

Link: CVE-2026-43447

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T15:16:57.217

Modified: 2026-05-21T17:02:04.870

Link: CVE-2026-43447

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43447 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T18:45:17Z

Weaknesses