CVE-2026-43458 - Vulnerability Details

- serial: caif: hold tty->link reference in ldisc_open and ser_release

Description

In the Linux kernel, the following vulnerability has been resolved:

serial: caif: hold tty->link reference in ldisc_open and ser_release

A reproducer triggers a KASAN slab-use-after-free in pty_write_room()
when caif_serial's TX path calls tty_write_room(). The faulting access
is on tty->link->port.

Hold an extra kref on tty->link for the lifetime of the caif_serial line
discipline: get it in ldisc_open() and drop it in ser_release(), and
also drop it on the ldisc_open() error path.

With this change applied, the reproducer no longer triggers the UAF in
my testing.

Published: 2026-05-08

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A use‑after‑free flaw exists in the Linux kernel’s serial CAIF line discipline. The missing reference to tty->link during ldisc_open and ser_release causes a KASAN‑detected UAF when caif_serial’s TX path invokes tty_write_room, potentially enabling an attacker to corrupt kernel memory or execute arbitrary code with elevated privileges. The weakness is a classic use‑after‑free error (CWE‑416) and involves memory reference misuse (CWE‑911).

Affected Systems

The affected product is the Linux kernel. All kernel releases prior to the application of the fix that introduces an extra kref on tty->link are vulnerable. No specific version range is listed; any kernel containing the buggy caif_serial line discipline may be impacted.

Risk and Exploitability

An EPSS score of < 1% indicates a low probability of exploitation, but the high CVSS score of 7.8 classifies the flaw as a high‑severity kernel memory corruption vulnerability. The flaw can lead to arbitrary code execution if an attacker can trigger a use‑after‑free in the CAIF serial line discipline. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves interacting with a serial CAIF device from user space, possibly locally or remotely if the device is exposed over a network or shared environment.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`e31d5a05948e4478ba8396063d1e1f39880928e2`	affected	< 23a3ac2e2262a291498567418227b99e1f3606b1
`e31d5a05948e4478ba8396063d1e1f39880928e2`	affected	< 52135420e9f75853ea0c6cea7b736e3e98495f7d
`e31d5a05948e4478ba8396063d1e1f39880928e2`	affected	< ca2ceba983bb23ea0202c2882d963253416654a3
`e31d5a05948e4478ba8396063d1e1f39880928e2`	affected	< 8460187b4852fd00bd1c76394358053f3fa4d089
`e31d5a05948e4478ba8396063d1e1f39880928e2`	affected	< 27e43356d0defb9fc7fa25265219a3ffeb7b3e98
`e31d5a05948e4478ba8396063d1e1f39880928e2`	affected	< 35b58d3bc716ebb9ebd10fe1cac8c1177242511c
`e31d5a05948e4478ba8396063d1e1f39880928e2`	affected	< 97a0bb491cae39478c6225381f14e9ac67b7bba7
`e31d5a05948e4478ba8396063d1e1f39880928e2`	affected	< 288598d80a068a0e9281de35bcb4ce495f189e2a

Linux

affected

Version	Status	Constraints
`2.6.35`	affected	—
`0`	unaffected	< 2.6.35
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.19`	unaffected	≤ 6.18.*
`6.19.9`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[e31d5a05948e4478ba8396063d1e1f39880928e2,23a3ac2e2262a291498567418227b99e1f3606b1)`	affected	code_commit	—
`[e31d5a05948e4478ba8396063d1e1f39880928e2,52135420e9f75853ea0c6cea7b736e3e98495f7d)`	affected	code_commit	—
`[e31d5a05948e4478ba8396063d1e1f39880928e2,ca2ceba983bb23ea0202c2882d963253416654a3)`	affected	code_commit	—
`[e31d5a05948e4478ba8396063d1e1f39880928e2,8460187b4852fd00bd1c76394358053f3fa4d089)`	affected	code_commit	—
`[e31d5a05948e4478ba8396063d1e1f39880928e2,27e43356d0defb9fc7fa25265219a3ffeb7b3e98)`	affected	code_commit	—
`[e31d5a05948e4478ba8396063d1e1f39880928e2,35b58d3bc716ebb9ebd10fe1cac8c1177242511c)`	affected	code_commit	—
`[e31d5a05948e4478ba8396063d1e1f39880928e2,97a0bb491cae39478c6225381f14e9ac67b7bba7)`	affected	code_commit	—
`[e31d5a05948e4478ba8396063d1e1f39880928e2,288598d80a068a0e9281de35bcb4ce495f189e2a)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.35`	affected	semver	—
`[0,2.6.35)`	unaffected	semver	—
`[5.10.253,5.11.0)`	unaffected	semver	—
`[5.15.203,5.16.0)`	unaffected	semver	—
`[6.1.167,6.2.0)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.78,6.13.0)`	unaffected	semver	—
`[6.18.19,6.19.0)`	unaffected	semver	—
`[6.19.9,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel update that includes the kref fix for caif_serial line discipline.
If an update cannot be applied immediately, reboot the system to unload any stale caif_serial modules that may still reference freed memory.
If the CAIF serial device is not required, disable it by removing the corresponding module or restricting access permissions to mitigate risk.
Monitor kernel logs for KASAN or other memory corruption messages to detect unsuccessful exploitation attempts.

Generated by OpenCVE AI on May 21, 2026 at 18:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4606-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00015.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/23a3ac2e2262a291498567418227b99e1f3606b1
https://git.kernel.org/stable/c/27e43356d0defb9fc7fa25265219a3ffeb7b3e98
https://git.kernel.org/stable/c/288598d80a068a0e9281de35bcb4ce495f189e2a
https://git.kernel.org/stable/c/35b58d3bc716ebb9ebd10fe1cac8c1177242511c
https://git.kernel.org/stable/c/52135420e9f75853ea0c6cea7b736e3e98495f7d
https://git.kernel.org/stable/c/8460187b4852fd00bd1c76394358053f3fa4d089
https://git.kernel.org/stable/c/97a0bb491cae39478c6225381f14e9ac67b7bba7
https://git.kernel.org/stable/c/ca2ceba983bb23ea0202c2882d963253416654a3
https://lore.kernel.org/linux-cve-announce/2026050800-CVE-2026-43458-d72f@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43458
https://www.cve.org/CVERecord?id=CVE-2026-43458

History

Thu, 21 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Sat, 09 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-911
References		https://lore.kernel.org/linux-cve-announce/2026050800-CVE-2026-43458-d72f@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43458 https://www.cve.org/CVERecord?id=CVE-2026-43458

Fri, 08 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Fri, 08 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: serial: caif: hold tty->link reference in ldisc_open and ser_release A reproducer triggers a KASAN slab-use-after-free in pty_write_room() when caif_serial's TX path calls tty_write_room(). The faulting access is on tty->link->port. Hold an extra kref on tty->link for the lifetime of the caif_serial line discipline: get it in ldisc_open() and drop it in ser_release(), and also drop it on the ldisc_open() error path. With this change applied, the reproducer no longer triggers the UAF in my testing.
Title		serial: caif: hold tty->link reference in ldisc_open and ser_release
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/23a3ac2e2262a291498567418227b99e1f3606b1 https://git.kernel.org/stable/c/27e43356d0defb9fc7fa25265219a3ffeb7b3e98 https://git.kernel.org/stable/c/288598d80a068a0e9281de35bcb4ce495f189e2a https://git.kernel.org/stable/c/35b58d3bc716ebb9ebd10fe1cac8c1177242511c https://git.kernel.org/stable/c/52135420e9f75853ea0c6cea7b736e3e98495f7d https://git.kernel.org/stable/c/8460187b4852fd00bd1c76394358053f3fa4d089 https://git.kernel.org/stable/c/97a0bb491cae39478c6225381f14e9ac67b7bba7 https://git.kernel.org/stable/c/ca2ceba983bb23ea0202c2882d963253416654a3

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T14:22:21.997Z

Updated: 2026-05-11T22:24:58.635Z

Reserved: 2026-05-01T14:12:56.010Z

Link: CVE-2026-43458

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-08T15:16:58.630

Modified: 2026-05-21T16:47:42.210

Link: CVE-2026-43458

Redhat

Severity :

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43458 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-21T18:45:17Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object