VYPR
← All advisories
Unrated severityNVD Advisory· Published May 21, 2026

CVE-2026-43497

CVE-2026-43497

Description

In the Linux kernel, the following vulnerability has been resolved:

fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free

dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_ops on the VMA. This means the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() replaces the backing buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages.

Add vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs.

Tested with PoC using dummy_hcd + raw_gadget USB device emulation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel's udlfb driver, missing vm_ops on framebuffer mmap allows use-after-free when the backing buffer is reallocated or the device is disconnected.

Vulnerability

The Linux kernel's udlfb framebuffer driver (drivers/video/fbdev/udlfb.c) contains a use-after-free vulnerability due to missing vm_operations_struct (vm_ops) on VMAs created by dlfb_ops_mmap(). The function uses remap_pfn_range() to map vmalloc-allocated framebuffer pages to userspace without setting vm_ops, so the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() is triggered via FBIOPUT_VSCREENINFO ioctl, the backing buffer is freed and replaced without invalidating existing userspace PTEs. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace processes still hold references via stale PTEs, leading to a use-after-free condition. The vulnerability exists in all kernel versions containing the affected code; the fix is deployed in stable kernels after commit 4f312c30f0368e8d2a76aa650dff73f23490b5e7 [1][2].

Exploitation

An attacker needs local access to the system with the ability to open the /dev/fb* device and perform mmap() to map the framebuffer into userspace. Additionally, the attacker must be able to trigger a framebuffer reallocation via FBIOPUT_VSCREENINFO ioctl or cause a USB disconnect of the DisplayLink device. The attack does not require special privileges beyond read/write access to the framebuffer device (typically granted to the user logged in at the console or via group membership). After mapping the framebuffer, the attacker triggers buffer replacement; the kernel frees the original vmalloc pages. The attacker can then access the freed memory through the still-valid userspace mapping, reading or writing freed kernel pages [1].

Impact

Successful exploitation allows an attacker with local access to read or write freed kernel memory, leading to information disclosure (leaking sensitive kernel data) or memory corruption. The attacker can potentially escalate privileges by overwriting freed structures or gain arbitrary read/write within kernel space, as the use-after-free occurs in vmalloc memory that may contain critical kernel objects. The scope is local, but the impact includes kernel information disclosure and potential privilege escalation [1].

Mitigation

The fix adds a vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on the dlfb_data structure. In dlfb_realloc_framebuffer(), the code now checks mmap_count and returns -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs. The fix is committed to the Linux stable kernel trees; administrators should update to kernels containing commit 4f312c30f0368e8d2a76aa650dff73f23490b5e7 (or its backport, commit da9b065cedfd3b574f229d5be594e6aa47a27ae6) [1][2]. No workaround is available without applying the patch; users should avoid concurrent device disconnection while applications hold open mmaps on udlfb devices, or ensure the latest patched kernel is installed. The CVE is not currently listed in CISA's Known Exploited Vulnerabilities catalog.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

10
8de779dc40d3
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitFixed in 7.1-rc3via kernel-cna
commit
4f312c30f036
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitFixed in 6.6.140via kernel-cna
commit
18dd358de72d
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitFixed in 6.12.88via kernel-cna
commit
da9b065cedfd
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitFixed in 6.18.30via kernel-cna
commit
a2c53a3822ee
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitFixed in 7.0.7via kernel-cna
commit
18dd358de72d
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit
4f312c30f036
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit
a2c53a3822ee
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit
da9b065cedfd
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit
8de779dc40d3
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit

Vulnerability mechanics

Root cause

"The dlfb_ops_mmap() function calls remap_pfn_range() without setting vm_ops on the VMA, so the kernel cannot track active mmaps and fails to invalidate PTEs when the framebuffer is reallocated, leading to a use-after-free when the backing pages are freed while userspace still holds references."

Attack vector

An attacker with access to a USB display device using the udlfb driver can trigger the use-after-free by first calling mmap() on the framebuffer to create a userspace mapping, then issuing FBIOPUT_VSCREENINFO via ioctl to trigger dlfb_realloc_framebuffer(), which replaces the backing buffer without invalidating existing PTEs. When the USB device is disconnected, dlfb_ops_destroy() calls vfree() on the old pages while userspace still holds valid PTEs, allowing read/write access to freed kernel memory. The attack requires local access to the device file and the ability to perform USB device emulation (e.g., via dummy_hcd + raw_gadget).

Affected code

The vulnerability is in the udlfb driver, specifically in dlfb_ops_mmap() which calls remap_pfn_range() without setting vm_ops on the VMA, and in dlfb_realloc_framebuffer() which replaces the backing buffer without checking for active mmaps. The patch modifies these functions and adds a vm_operations_struct to track mmap count via open/close callbacks [patch_id=1215870].

What the fix does

The patch adds a vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data [patch_id=1215870]. In dlfb_realloc_framebuffer(), the patch checks mmap_count and returns -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs [patch_id=1215870]. This ensures that the backing memory cannot be freed while any userspace mapping exists, closing the use-after-free window.

Preconditions

  • authLocal access to the framebuffer device file (e.g., /dev/fb*) is required.
  • inputAttacker must be able to call mmap() on the framebuffer and then issue FBIOPUT_VSCREENINFO ioctl.
  • configThe udlfb driver must be loaded and a USB display device (real or emulated) must be present.

Generated on May 21, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.