Description
In the Linux kernel, the following vulnerability has been resolved:

fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free

dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages
to userspace but sets no vm_ops on the VMA. This means the kernel cannot
track active mmaps. When dlfb_realloc_framebuffer() replaces the backing
buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated.
On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages
while userspace PTEs still reference them, resulting in a use-after-free:
the process retains read/write access to freed kernel pages.

Add vm_operations_struct with open/close callbacks that maintain an
atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(),
check mmap_count and return -EBUSY if the buffer is currently mapped,
preventing buffer replacement while userspace holds stale PTEs.

Tested with PoC using dummy_hcd + raw_gadget USB device emulation.
Published: 2026-05-21
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s udlfb framebuffer driver contains a use‑after‑free condition. During a remap of the framebuffer to userspace the virtual memory area lacks the necessary vm_ops, so the kernel does not track active memory maps. When the backing buffer is reallocated via FBIOPUT_VSCREENINFO, the old pages are freed while existing page tables still reference them. A USB device disconnect triggers a cleanup that frees those pages, resulting in a use‑after‑free that grants the attacking process arbitrary read and write access to kernel memory.

Affected Systems

All Linux kernel builds that include the udlfb framebuffer driver are affected; the issue is present from kernel versions that ship the driver up to the latest upstream kernels before the patch is merged. It does not affect distributions that disable CONFIG_FB_DUMMY or that do not load the udlfb module.

Risk and Exploitability

The CVSS score of 7.3 classifies the flaw as high severity. The EPSS score of <1% indicates a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local, requiring the attacker to supply a USB device that interacts with the udlfb driver—for example, a dummy USB host controller or a USB gadget emulation. Inferred from the description, the attacker would need to trigger a framebuffer reallocation or a USB disconnect while the framebuffer remains mapped. Because of the low EPSS and the requirement for a specialized attack scenario, the vulnerability is best regarded as a low‑to‑moderate local risk that could lead to privilege escalation if successful.

Generated by OpenCVE AI on May 30, 2026 at 13:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a release that includes the udlfb mmap‑tracking patch
  • If a kernel update is not immediately possible, unload the udlfb module or disable the CONFIG_FB_DUMMY option in the kernel configuration
  • Restrict the use of FBIOPUT_VSCREENINFO to privileged users to prevent untrusted processes from reallocating the framebuffer
  • If necessary, apply the upstream patch from the Git commit references included in the advisory

Generated by OpenCVE AI on May 30, 2026 at 13:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

Fri, 22 May 2026 02:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 22 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References

Thu, 21 May 2026 13:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 21 May 2026 12:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_ops on the VMA. This means the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() replaces the backing buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages. Add vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs. Tested with PoC using dummy_hcd + raw_gadget USB device emulation.
Title fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-01T16:16:01.191Z

Reserved: 2026-05-01T14:12:56.013Z

Link: CVE-2026-43497

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-21T13:16:19.090

Modified: 2026-06-01T17:17:05.777

Link: CVE-2026-43497

cve-icon Redhat

Severity :

Publid Date: 2026-05-21T00:00:00Z

Links: CVE-2026-43497 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T13:15:24Z

Weaknesses
  • CWE-825

    Expired Pointer Dereference