Vulnerabilities ›

CVE-2026-43015

High

CWE-416 — Weakness Type

                    Published: May 1, 2026                      ·  Modified: May 8, 2026                      ·  Source: NVD                

CVSS v3

7.8

🔗 NVD Official

📄 Description (English)

In the Linux kernel, the following vulnerability has been resolved:

net: macb: fix clk handling on PCI glue driver removal

platform_device_unregister() may still want to use the registered clks
during runtime resume callback.

Note that there is a commit d82d5303c4c5 ("net: macb: fix use after free
on rmmod") that addressed the similar problem of clk vs platform device
unregistration but just moved the bug to another place.

Save the pointers to clks into local variables for reuse after platform
device is unregistered.

BUG: KASAN: use-after-free in clk_prepare+0x5a/0x60
Read of size 8 at addr ffff888104f85e00 by task modprobe/597

CPU: 2 PID: 597 Comm: modprobe Not tainted 6.1.164+ #114
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x8d/0xba
print_report+0x17f/0x496
kasan_report+0xd9/0x180
clk_prepare+0x5a/0x60
macb_runtime_resume+0x13d/0x410 [macb]
pm_generic_runtime_resume+0x97/0xd0
__rpm_callback+0xc8/0x4d0
rpm_callback+0xf6/0x230
rpm_resume+0xeeb/0x1a70
__pm_runtime_resume+0xb4/0x170
bus_remove_device+0x2e3/0x4b0
device_del+0x5b3/0xdc0
platform_device_del+0x4e/0x280
platform_device_unregister+0x11/0x50
pci_device_remove+0xae/0x210
device_remove+0xcb/0x180
device_release_driver_internal+0x529/0x770
driver_detach+0xd4/0x1a0
bus_remove_driver+0x135/0x260
driver_unregister+0x72/0xb0
pci_unregister_driver+0x26/0x220
__do_sys_delete_module+0x32e/0x550
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
</TASK>

Allocated by task 519:
kasan_save_stack+0x2c/0x50
kasan_set_track+0x21/0x30
__kasan_kmalloc+0x8e/0x90
__clk_register+0x458/0x2890
clk_hw_register+0x1a/0x60
__clk_hw_register_fixed_rate+0x255/0x410
clk_register_fixed_rate+0x3c/0xa0
macb_probe+0x1d8/0x42e [macb_pci]
local_pci_probe+0xd7/0x190
pci_device_probe+0x252/0x600
really_probe+0x255/0x7f0
__driver_probe_device+0x1ee/0x330
driver_probe_device+0x4c/0x1f0
__driver_attach+0x1df/0x4e0
bus_for_each_dev+0x15d/0x1f0
bus_add_driver+0x486/0x5e0
driver_register+0x23a/0x3d0
do_one_initcall+0xfd/0x4d0
do_init_module+0x18b/0x5a0
load_module+0x5663/0x7950
__do_sys_finit_module+0x101/0x180
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x6e/0xd8

Freed by task 597:
kasan_save_stack+0x2c/0x50
kasan_set_track+0x21/0x30
kasan_save_free_info+0x2a/0x50
__kasan_slab_free+0x106/0x180
__kmem_cache_free+0xbc/0x320
clk_unregister+0x6de/0x8d0
macb_remove+0x73/0xc0 [macb_pci]
pci_device_remove+0xae/0x210
device_remove+0xcb/0x180
device_release_driver_internal+0x529/0x770
driver_detach+0xd4/0x1a0
bus_remove_driver+0x135/0x260
driver_unregister+0x72/0xb0
pci_unregister_driver+0x26/0x220
__do_sys_delete_module+0x32e/0x550
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x6e/0xd8

🤖 AI Executive Summary

CVE-2026-43015 is a use-after-free vulnerability in the Linux kernel's macb network driver affecting PCI glue driver removal. The flaw occurs when platform_device_unregister() triggers runtime resume callbacks that attempt to access clock pointers that have already been freed, causing kernel crashes. This vulnerability requires local access to trigger but can lead to denial of service or potential privilege escalation on affected systems.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 8, 2026 03:07

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability primarily impacts Saudi organizations running Linux-based infrastructure, particularly: (1) Telecom sector (STC, Mobily) - affects network equipment and base station controllers using macb drivers; (2) Energy sector (ARAMCO, SEC) - impacts industrial control systems and SCADA networks; (3) Government agencies (NCA, CITC) - affects critical infrastructure and data center operations; (4) Banking sector (SAMA-regulated institutions) - impacts network infrastructure and payment processing systems. The vulnerability allows local attackers to crash systems or potentially escalate privileges, disrupting critical services.

🏢 Affected Saudi Sectors

Telecommunications (STC, Mobily, Zain) Energy (ARAMCO, SEC, power utilities) Government (NCA, CITC, ministries) Banking (SAMA-regulated institutions, payment processors) Healthcare (MOH, private hospitals) Critical Infrastructure

🎯 MITRE ATT&CK Techniques

T1548 - Abuse Elevation Control Mechanism (privilege escalation potential) T1499 - Endpoint Denial of Service (system crash via use-after-free) T1529 - System Shutdown/Reboot (uncontrolled system crashes) T1562 - Impair Defenses (disabling security monitoring via kernel panic)

⚖️ Saudi Risk Score (AI)

6.8

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all Linux systems running kernel versions with macb PCI driver (check: uname -r and grep -i macb /boot/config-*)

2. Assess exposure: systems with PCI-based Ethernet controllers (Cadence GEM/macb devices)

3. Implement access controls to restrict local user privileges



PATCHING GUIDANCE:

1. Apply kernel security updates from your distribution (Ubuntu, RHEL, Debian, etc.)

2. For RHEL/CentOS: yum update kernel && reboot

3. For Ubuntu: apt update && apt upgrade linux-image-generic && reboot

4. For custom kernels: apply upstream patch saving clock pointers to local variables before platform_device_unregister()

5. Verify patch: grep -A5 'Save the pointers to clks' /boot/config-* or check kernel version >= patched release



COMPENSATING CONTROLS (if immediate patching unavailable):

1. Restrict local user access via PAM and sudo configurations

2. Disable module loading: echo 'install macb /bin/true' >> /etc/modprobe.d/disable-macb.conf

3. Monitor system logs for KASAN warnings: grep -i 'use-after-free\|clk_prepare' /var/log/kern.log

4. Implement SELinux/AppArmor policies restricting module operations



DETECTION RULES:

1. Monitor kernel logs: journalctl -u kernel | grep -E 'KASAN|use-after-free|clk_prepare'

2. Alert on modprobe/rmmod operations: auditctl -w /sys/module/macb -p wa

3. Track system crashes: check dmesg for 'BUG: KASAN' patterns

4. Monitor PCI device removal events: grep 'pci_device_remove' /var/log/kern.log

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع أنظمة Linux التي تعمل بإصدارات النواة مع برنامج تشغيل macb PCI

2. تقييم التعرض: الأنظمة التي تحتوي على وحدات تحكم Ethernet المستندة إلى PCI

3. تنفيذ عناصر التحكم في الوصول لتقييد امتيازات المستخدم المحلي

إرشادات التصحيح:

1. تطبيق تحديثات أمان النواة من التوزيع الخاص بك

2. لـ RHEL/CentOS: yum update kernel && reboot

3. لـ Ubuntu: apt update && apt upgrade linux-image-generic && reboot

4. للنوى المخصصة: تطبيق رقعة المنبع الأصلي مع حفظ مؤشرات الساعة في متغيرات محلية

5. التحقق من الرقعة: تحقق من إصدار النواة المصحح

عناصر التحكم البديلة:

1. تقييد وصول المستخدم المحلي عبر تكوينات PAM و sudo

2. تعطيل تحميل الوحدات: echo 'install macb /bin/true' >> /etc/modprobe.d/disable-macb.conf

3. مراقبة سجلات النظام بحثاً عن تحذيرات KASAN

4. تنفيذ سياسات SELinux/AppArmor

قواعد الكشف:

1. مراقبة سجلات النواة للبحث عن أخطاء KASAN

2. التنبيه على عمليات modprobe/rmmod

3. تتبع أعطال النظام في dmesg

4. مراقبة أحداث إزالة أجهزة PCI

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.12.6.1 - Change management procedures for system updates ECC 2024 A.14.2.1 - Secure development and maintenance practices ECC 2024 A.12.2.1 - Monitoring and logging of system activities

🔵 SAMA CSF

SAMA CSF ID.BE-1 - Business Resilience (system availability) SAMA CSF PR.DS-6 - Data security and integrity SAMA CSF DE.CM-1 - Detection and monitoring of anomalies

🟡 ISO 27001:2022

ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities ISO 27001:2022 A.14.2.1 - Secure development and maintenance ISO 27001:2022 A.12.2.1 - Monitoring and logging

🟣 PCI DSS v4.0.1

PCI DSS 6.2 - Security patches and updates for system components PCI DSS 10.2 - Logging and monitoring of access to cardholder data

🔗 References & Sources 8

🔗

https://git.kernel.org/stable/c/16ab4c0e2b15df5d33bfcb9ea8e4441b85dd4a57

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

🔗

https://git.kernel.org/stable/c/2d96204e4184d6f7dd2f93c6f218fd0c1f55e9ae

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

🔗

https://git.kernel.org/stable/c/3496fb9e66f79d4def3bb7ec7563e3eaa33a688f

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

🔗

https://git.kernel.org/stable/c/67f70841a175fa3469119f52d77a3662c07507a2

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

🔗

https://git.kernel.org/stable/c/b3f799cdf830df1782ae463cf15ace35015be99e

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

🔗

https://git.kernel.org/stable/c/bf64cae913cdd4821f13d5d1d68900c0891bef69

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

🔗

https://git.kernel.org/stable/c/ce8fe5287b87e24e225c342f3b0ec04f0b3680fe

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

🔗

https://git.kernel.org/stable/c/f310a836da90d0f0321b14d446c071af63f9ee4c

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

📦 Affected Products / CPE 24 entries

linux:linux_kernel

linux:linux_kernel:5.15

linux:linux_kernel:7.0

📊 CVSS Score

7.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorL — Low / Local

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.8

CWECWE-416

EPSS0.03%

Exploit No

Patch ✓ Yes

Published 2026-05-01

Source Feed nvd

🇸🇦 Saudi Risk Score

6.8

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

patch-available CWE-416

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-43015

💬 Comments

Introduce Yourself

Sign In Required