1. Home
  2. Vulnerabilities
  3. CVE-2026-43497
0.0
NA
CVE-2026-43497
fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free
Overview
Description

In the Linux kernel, the following vulnerability has been resolved: fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_ops on the VMA. This means the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() replaces the backing buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages. Add vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs. Tested with PoC using dummy_hcd + raw_gadget USB device emulation.

Details
INFO

Published Date :

May 21, 2026, 1:16 p.m.

Last Modified :

May 21, 2026, 1:16 p.m.

Remotely Exploit :

No

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67
Impact
Affected Products

The following products are affected by CVE-2026-43497 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

No affected product recoded yet

: Total Affected Vendor : 0 | Products : 0
Solution
Add vm_ops and mmap_count to track framebuffer mappings and prevent buffer replacement.
  • Add vm_operations_struct with open/close callbacks.
  • Maintain an atomic mmap_count on struct dlfb_data.
  • Check mmap_count before reallocating framebuffer.
  • Return -EBUSY if buffer is currently mapped.
References
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2026-43497.

URL Resource
https://git.kernel.org/stable/c/18dd358de72d57993422cbb5dfb29ccd74efe192
https://git.kernel.org/stable/c/4f312c30f0368e8d2a76aa650dff73f23490b5e7
https://git.kernel.org/stable/c/8de779dc40d35d39fa07387b6f921eb11df0f511
https://git.kernel.org/stable/c/a2c53a3822ee26e8d758071815b9ed3bf6669fc1
https://git.kernel.org/stable/c/da9b065cedfd3b574f229d5be594e6aa47a27ae6
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2026-43497 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2026-43497 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-43497 vulnerability anywhere in the article.

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2026-43497 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • New CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    May. 21, 2026

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved: fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_ops on the VMA. This means the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() replaces the backing buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages. Add vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs. Tested with PoC using dummy_hcd + raw_gadget USB device emulation.
    Added Reference https://git.kernel.org/stable/c/18dd358de72d57993422cbb5dfb29ccd74efe192
    Added Reference https://git.kernel.org/stable/c/4f312c30f0368e8d2a76aa650dff73f23490b5e7
    Added Reference https://git.kernel.org/stable/c/8de779dc40d35d39fa07387b6f921eb11df0f511
    Added Reference https://git.kernel.org/stable/c/a2c53a3822ee26e8d758071815b9ed3bf6669fc1
    Added Reference https://git.kernel.org/stable/c/da9b065cedfd3b574f229d5be594e6aa47a27ae6
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CVSS
Vulnerability Scoring Details
No CVSS metrics available for this vulnerability.