HIGH Published 2026-05-01

mana AuxDevice UAF

CVE-2026-43056

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: net: mana: fix use-after-free in add_adev() error path If auxiliary_device_add() fails, add_adev() jumps to add_fail and calls auxiliary_device_uninit(adev). The auxiliary device has its release callback set to adev_release(), which frees the containing struct mana_adev. Since adev is embedded in struct mana_adev, the subsequent fall-through to init_fail and access to adev->id may result in a use-after-free. Fix this by saving the allocated auxiliary device id in a local variable before calling auxiliary_device_add(), and use that saved id in the cleanup path after auxiliary_device_uninit().

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A use-after-free vulnerability in the Microsoft Azure Network Adapter (MANA) driver could allow local attackers with sufficient privileges to cause system crashes or potentially execute arbitrary code. The vulnerability occurs during error handling when auxiliary device creation fails, leading to access of freed memory. While exploitation requires local access and specific failure conditions, successful exploitation could result in privilege escalation or denial of service.

Affecteddrivers/net/ethernet/microsoft/mana/mana_en.c

Vulnerability analysis

Root Cause: In the add_adev() function's error handling path, when auxiliary_device_add() fails, the code calls auxiliary_device_uninit(adev) which triggers the adev_release() callback that frees the containing struct mana_adev. Since adev is embedded within mana_adev, any subsequent access to adev->id in the init_fail cleanup path results in a use-after-free vulnerability.

Attack Surface: This vulnerability is triggered during device initialization when auxiliary_device_add() fails. It requires local access with sufficient privileges to trigger device operations, typically during system boot or device hotplug events. The attack surface is limited to scenarios where the MANA network driver is loaded and auxiliary device creation fails.

Fix Mechanism: The patch saves the allocated auxiliary device ID in a local variable 'id' before calling auxiliary_device_add(). In the error cleanup path after auxiliary_device_uninit(), it uses the saved 'id' variable instead of accessing the potentially freed adev->id field.

03Fix Versions

Branch	Fixed in	Patch commit
6.12	6.12.81	`43f5b19fd190`
6.18	6.18.22	`5f4061f8225d`
6.19	6.19.12	`e5a75bf026c6`
6.6	6.6.134	`d88541ffd56d`
mainline	7.0	`c4ea7d8907cf`