CVE-2026-43458 - Vulnerability Details

- serial: caif: hold tty->link reference in ldisc_open and ser_release

Description

In the Linux kernel, the following vulnerability has been resolved:

serial: caif: hold tty->link reference in ldisc_open and ser_release

A reproducer triggers a KASAN slab-use-after-free in pty_write_room()
when caif_serial's TX path calls tty_write_room(). The faulting access
is on tty->link->port.

Hold an extra kref on tty->link for the lifetime of the caif_serial line
discipline: get it in ldisc_open() and drop it in ser_release(), and
also drop it on the ldisc_open() error path.

With this change applied, the reproducer no longer triggers the UAF in
my testing.

Published: 2026-05-08

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A use‑after‑free flaw exists in the Linux kernel’s serial CAIF (Control and Adaptation Interface for FUSS) line discipline. The missing reference to tty->link during ldisc_open and ser_release causes a KASAN-detected UAF when caif_serial’s TX path invokes tty_write_room, potentially enabling an attacker to corrupt kernel memory or execute arbitrary code with elevated privileges. The weakness is a classic use‑after‑free error (CWE‑416) and involves memory reference misuse (CWE‑911).

Affected Systems

The affected product is the Linux kernel. All kernel releases prior to the application of the fix that introduces an extra kref on tty->link are vulnerable. No specific version range is listed; any kernel containing the buggy caif_serial line discipline may be impacted.

Risk and Exploitability

No EPSS score is available, and the vulnerability is not listed in CISA KEV, but the nature of the flaw suggests a high impact if successfully exploited because it occurs in kernel space and can lead to arbitrary code execution. Without a CVSS score the exact severity is unknown, but the potential for kernel compromise warrants immediate attention. The likely attack vector involves interacting with a serial CAIF device (e.g., from user space), which could be achieved locally or remotely if the device is exposed over a network or shared environment.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`e31d5a05948e4478ba8396063d1e1f39880928e2`	affected	< 23a3ac2e2262a291498567418227b99e1f3606b1
`e31d5a05948e4478ba8396063d1e1f39880928e2`	affected	< 52135420e9f75853ea0c6cea7b736e3e98495f7d
`e31d5a05948e4478ba8396063d1e1f39880928e2`	affected	< ca2ceba983bb23ea0202c2882d963253416654a3
`e31d5a05948e4478ba8396063d1e1f39880928e2`	affected	< 8460187b4852fd00bd1c76394358053f3fa4d089
`e31d5a05948e4478ba8396063d1e1f39880928e2`	affected	< 27e43356d0defb9fc7fa25265219a3ffeb7b3e98
`e31d5a05948e4478ba8396063d1e1f39880928e2`	affected	< 35b58d3bc716ebb9ebd10fe1cac8c1177242511c
`e31d5a05948e4478ba8396063d1e1f39880928e2`	affected	< 97a0bb491cae39478c6225381f14e9ac67b7bba7
`e31d5a05948e4478ba8396063d1e1f39880928e2`	affected	< 288598d80a068a0e9281de35bcb4ce495f189e2a

Linux

affected

Version	Status	Constraints
`2.6.35`	affected	—
`0`	unaffected	< 2.6.35
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.19`	unaffected	≤ 6.18.*
`6.19.9`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[e31d5a05948e4478ba8396063d1e1f39880928e2,23a3ac2e2262a291498567418227b99e1f3606b1)`	affected	code_commit	—
`[e31d5a05948e4478ba8396063d1e1f39880928e2,52135420e9f75853ea0c6cea7b736e3e98495f7d)`	affected	code_commit	—
`[e31d5a05948e4478ba8396063d1e1f39880928e2,ca2ceba983bb23ea0202c2882d963253416654a3)`	affected	code_commit	—
`[e31d5a05948e4478ba8396063d1e1f39880928e2,8460187b4852fd00bd1c76394358053f3fa4d089)`	affected	code_commit	—
`[e31d5a05948e4478ba8396063d1e1f39880928e2,27e43356d0defb9fc7fa25265219a3ffeb7b3e98)`	affected	code_commit	—
`[e31d5a05948e4478ba8396063d1e1f39880928e2,35b58d3bc716ebb9ebd10fe1cac8c1177242511c)`	affected	code_commit	—
`[e31d5a05948e4478ba8396063d1e1f39880928e2,97a0bb491cae39478c6225381f14e9ac67b7bba7)`	affected	code_commit	—
`[e31d5a05948e4478ba8396063d1e1f39880928e2,288598d80a068a0e9281de35bcb4ce495f189e2a)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.35`	affected	semver	—
`[0,2.6.35)`	unaffected	semver	—
`[5.10.253,5.11.0)`	unaffected	semver	—
`[5.15.203,5.16.0)`	unaffected	semver	—
`[6.1.167,6.2.0)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.78,6.13.0)`	unaffected	semver	—
`[6.18.19,6.19.0)`	unaffected	semver	—
`[6.19.9,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel update that includes the kref fix for caif_serial line discipline.
If an update cannot be applied immediately, reboot the system to unload any stale caif_serial modules that may still reference freed memory.
If the CAIF serial device is not required, disable it by removing the corresponding module or restricting access permissions to mitigate risk.
Monitor kernel logs for KASAN or other memory corruption messages to detect unsuccessful exploitation attempts.

Generated by OpenCVE AI on May 9, 2026 at 13:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/23a3ac2e2262a291498567418227b99e1f3606b1
https://git.kernel.org/stable/c/27e43356d0defb9fc7fa25265219a3ffeb7b3e98
https://git.kernel.org/stable/c/288598d80a068a0e9281de35bcb4ce495f189e2a
https://git.kernel.org/stable/c/35b58d3bc716ebb9ebd10fe1cac8c1177242511c
https://git.kernel.org/stable/c/52135420e9f75853ea0c6cea7b736e3e98495f7d
https://git.kernel.org/stable/c/8460187b4852fd00bd1c76394358053f3fa4d089
https://git.kernel.org/stable/c/97a0bb491cae39478c6225381f14e9ac67b7bba7
https://git.kernel.org/stable/c/ca2ceba983bb23ea0202c2882d963253416654a3
https://lore.kernel.org/linux-cve-announce/2026050800-CVE-2026-43458-d72f@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43458
https://www.cve.org/CVERecord?id=CVE-2026-43458

History

Sat, 09 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-911
References		https://lore.kernel.org/linux-cve-announce/2026050800-CVE-2026-43458-d72f@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43458 https://www.cve.org/CVERecord?id=CVE-2026-43458

Fri, 08 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Fri, 08 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: serial: caif: hold tty->link reference in ldisc_open and ser_release A reproducer triggers a KASAN slab-use-after-free in pty_write_room() when caif_serial's TX path calls tty_write_room(). The faulting access is on tty->link->port. Hold an extra kref on tty->link for the lifetime of the caif_serial line discipline: get it in ldisc_open() and drop it in ser_release(), and also drop it on the ldisc_open() error path. With this change applied, the reproducer no longer triggers the UAF in my testing.
Title		serial: caif: hold tty->link reference in ldisc_open and ser_release
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/23a3ac2e2262a291498567418227b99e1f3606b1 https://git.kernel.org/stable/c/27e43356d0defb9fc7fa25265219a3ffeb7b3e98 https://git.kernel.org/stable/c/288598d80a068a0e9281de35bcb4ce495f189e2a https://git.kernel.org/stable/c/35b58d3bc716ebb9ebd10fe1cac8c1177242511c https://git.kernel.org/stable/c/52135420e9f75853ea0c6cea7b736e3e98495f7d https://git.kernel.org/stable/c/8460187b4852fd00bd1c76394358053f3fa4d089 https://git.kernel.org/stable/c/97a0bb491cae39478c6225381f14e9ac67b7bba7 https://git.kernel.org/stable/c/ca2ceba983bb23ea0202c2882d963253416654a3

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T14:22:21.997Z

Updated: 2026-05-08T14:22:21.997Z

Reserved: 2026-05-01T14:12:56.010Z

Link: CVE-2026-43458

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T15:16:58.630

Modified: 2026-05-08T15:16:58.630

Link: CVE-2026-43458

Redhat

Severity :

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43458 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-09T13:45:34Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object