HIGH
reset GPIO UAF
CVE-2026-43138
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.5MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: reset: gpio: suppress bind attributes in sysfs This is a special device that's created dynamically and is supposed to stay in memory forever. We also currently don't have a devlink between it and the actual reset consumer. Suppress sysfs bind attributes so that user-space can't unbind the device because - as of now - it will cause a use-after-free splat from any user that puts the reset control handle.
02KernelScan AI Analysis
Risk summary
Local users with low privileges can trigger a use-after-free vulnerability by unbinding GPIO-based reset controller devices through sysfs. This can cause kernel crashes and denial of service on systems using GPIO reset controllers for hardware management.
Vulnerability analysis
The vulnerability occurs because the GPIO reset controller driver creates auxiliary devices dynamically that are intended to persist in memory permanently, but lacks proper reference counting between the device and reset control handles. When userspace unbinds the device via sysfs (/sys/bus/auxiliary/drivers/reset-gpio/unbind), the device is freed while reset control handles may still reference it, creating a use-after-free condition. The fix suppresses sysfs bind attributes by setting suppress_bind_attrs=true in the driver structure, preventing userspace from triggering the unbind operation that leads to the memory corruption.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.75 | 09d6efc6abd4 |
| 6.18 | 6.18.16 | 76801c3dfca0 |
| 6.19 | 6.19.6 | 1d7d869f074f |
| mainline | 7.0 | 16de4c6a8fe9 |