CVE-2026-43447
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
iavf: fix PTP use-after-free during reset
Commit 7c01dbfc8a1c5f ("iavf: periodically cache PHC time") introduced a worker to cache PHC time, but failed to stop it during reset or disable.
This creates a race condition where iavf_reset_task() or
iavf_disable_vf() free adapter resources (AQ) while the worker is still
running. If the worker triggers iavf_queue_ptp_cmd() during teardown, it
accesses freed memory/locks, leading to a crash.
Fix this by calling iavf_ptp_release() before tearing down the adapter.
This ensures ptp_clock_unregister() synchronously cancels the worker and
cleans up the chardev before the backing resources are destroyed.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 7c01dbfc8a1c5f8b8e4a7907ab06db1449d478d0 < 1b034f2429ce6b45ce74dc266175d277acafc5c4 | affected |
| Linux | Linux | 7c01dbfc8a1c5f8b8e4a7907ab06db1449d478d0 < 90cc8b2add29b57288025b51c70bc647e7cccb12 | affected |
| Linux | Linux | 7c01dbfc8a1c5f8b8e4a7907ab06db1449d478d0 < efc54fb13d79117a825fef17364315a58682c7ec | affected |
| Linux | Linux | 6.15 | affected |
| Linux | Linux | 0 < 6.15 | unaffected |
| Linux | Linux | 6.18.19 <= 6.18.* | unaffected |
| Linux | Linux | 6.19.9 <= 6.19.* | unaffected |
| Linux | Linux | 7.0 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/1b034f2429ce6b45ce74dc266175d277acafc5c4
- https://git.kernel.org/stable/c/90cc8b2add29b57288025b51c70bc647e7cccb12
- https://git.kernel.org/stable/c/efc54fb13d79117a825fef17364315a58682c7ec
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.