serial: caif: fix use-after-free in caif_serial ldisc_close()
Summary
| CVE | CVE-2026-45866 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-27 14:16:58 UTC |
| Updated | 2026-05-27 14:48:31 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: serial: caif: fix use-after-free in caif_serial ldisc_close() There is a use-after-free bug in caif_serial where handle_tx() may access ser->tty after the tty has been freed. The race condition occurs between ldisc_close() and packet transmission: CPU 0 (close) CPU 1 (xmit) ------------- ------------ ldisc_close() tty_kref_put(ser->tty) [tty may be freed here] <-- race window --> caif_xmit() handle_tx() tty = ser->tty // dangling ptr tty->ops->write() // UAF! schedule_work() ser_release() unregister_netdevice() The root cause is that tty_kref_put() is called in ldisc_close() while the network device is still active and can receive packets. Since ser and tty have a 1:1 binding relationship with consistent lifecycles (ser is allocated in ldisc_open and freed in ser_release via unregister_netdevice, and each ser binds exactly one tty), we can safely defer the tty reference release to ser_release() where the network device is unregistered. Fix this by moving tty_kref_put() from ldisc_close() to ser_release(), after unregister_netdevice(). This ensures the tty reference is held as long as the network device exists, preventing the UAF. Note: We save ser->tty before unregister_netdevice() because ser is embedded in netdev's private data and will be freed along with netdev (needs_free_netdev = true). How to reproduce: Add mdelay(500) at the beginning of ldisc_close() to widen the race window, then run the reproducer program [1]. Note: There is a separate deadloop issue in handle_tx() when using PORT_UNKNOWN serial ports (e.g., /dev/ttyS3 in QEMU without proper serial backend). This deadloop exists even without this patch, and is likely caused by inconsistency between uart_write_room() and uart_write() in serial core. It has been addressed in a separate patch [2]. KASAN report: ================================================================== BUG: KASAN: slab-use-after-free in handle_tx+0x5d1/0x620 Read of size 1 at addr ffff8881131e1490 by task caif_uaf_trigge/9929 Call Trace: <TASK> dump_stack_lvl+0x10e/0x1f0 print_report+0xd0/0x630 kasan_report+0xe4/0x120 handle_tx+0x5d1/0x620 dev_hard_start_xmit+0x9d/0x6c0 __dev_queue_xmit+0x6e2/0x4410 packet_xmit+0x243/0x360 packet_sendmsg+0x26cf/0x5500 __sys_sendto+0x4a3/0x520 __x64_sys_sendto+0xe0/0x1c0 do_syscall_64+0xc9/0xf80 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f615df2c0d7 Allocated by task 9930: Freed by task 64: Last potentially related work creation: The buggy address belongs to the object at ffff8881131e1000 which belongs to the cache kmalloc-cg-2k of size 2048 The buggy address is located 1168 bytes inside of freed 2048-byte region [ffff8881131e1000, ffff8881131e1800) The buggy address belongs to the physical page: page_owner tracks the page as allocated page last free pid 9778 tgid 9778 stack trace: Memory state around the buggy address: ffff8881131e1380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881131e1400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8881131e1480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881131e1500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881131e1580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== [1]: https://gist.github.com/mrpre/f683f244544f7b11e7fa87df9e6c2eeb [2]: https://lore.kernel.org/linux-serial/[email protected]/T/#u |
Risk And Classification
EPSS: 0.000240000 probability, percentile 0.073730000 (date 2026-05-31)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 56e0ef527b184b3de2d7f88c6190812b2b2ac6bf 5e266ba8d330d3b8e5bc198f238cd8901826cfa1 git | Not specified |
| CNA | Linux | Linux | affected 56e0ef527b184b3de2d7f88c6190812b2b2ac6bf d3c75db4e0460641dbcd274b40867e252d801da1 git | Not specified |
| CNA | Linux | Linux | affected 56e0ef527b184b3de2d7f88c6190812b2b2ac6bf 4e63d6f68544ae5269ac9735ae5b69b59b5b8725 git | Not specified |
| CNA | Linux | Linux | affected 56e0ef527b184b3de2d7f88c6190812b2b2ac6bf 331e2b7051635780edea248dd08ae2026c126f4a git | Not specified |
| CNA | Linux | Linux | affected 56e0ef527b184b3de2d7f88c6190812b2b2ac6bf 52731ef4438155cea782fac74e547a327ab9e7c5 git | Not specified |
| CNA | Linux | Linux | affected 56e0ef527b184b3de2d7f88c6190812b2b2ac6bf c8c197aaa56b25a2d54f3aa07e27e228d6c08546 git | Not specified |
| CNA | Linux | Linux | affected 56e0ef527b184b3de2d7f88c6190812b2b2ac6bf 40962f2bf8cdba63af23aec95ad3f49b689e58e2 git | Not specified |
| CNA | Linux | Linux | affected 56e0ef527b184b3de2d7f88c6190812b2b2ac6bf 308e7e4d0a846359685f40aade023aee7b27284c git | Not specified |
| CNA | Linux | Linux | affected 3.11 | Not specified |
| CNA | Linux | Linux | unaffected 3.11 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.10.252 5.10.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.202 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.165 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.128 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.75 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.14 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.19.4 6.19.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/52731ef4438155cea782fac74e547a327ab9e7c5 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/331e2b7051635780edea248dd08ae2026c126f4a | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/5e266ba8d330d3b8e5bc198f238cd8901826cfa1 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/d3c75db4e0460641dbcd274b40867e252d801da1 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/4e63d6f68544ae5269ac9735ae5b69b59b5b8725 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/40962f2bf8cdba63af23aec95ad3f49b689e58e2 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/308e7e4d0a846359685f40aade023aee7b27284c | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/c8c197aaa56b25a2d54f3aa07e27e228d6c08546 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.