HIGH
net/ethernet DMA Handle Leak
CVE-2026-43283
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
KernelScan AI5.5MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: net: ethernet: ec_bhf: Fix dma_free_coherent() dma handle dma_free_coherent() in error path takes priv->rx_buf.alloc_len as the dma handle. This would lead to improper unmapping of the buffer. Change the dma handle to priv->rx_buf.alloc_phys.
02KernelScan AI Analysis
Risk summary
Systems using Beckhoff CX5020 EtherCAT master modules may experience memory leaks and potential system instability when network interface initialization fails. The bug causes improper DMA buffer cleanup, leading to resource exhaustion over time. This affects industrial automation systems and embedded devices using this specific hardware.
Vulnerability analysis
The vulnerability occurs in the error handling path of the ec_bhf_open() function where dma_free_coherent() is called with the wrong DMA handle parameter. Instead of using the physical DMA address (priv->rx_buf.alloc_phys), the code incorrectly passes the buffer length (priv->rx_buf.alloc_len) as the DMA handle. This causes the DMA subsystem to fail to properly unmap and free the coherent DMA buffer, resulting in a memory leak. The fix corrects the parameter to use the proper physical address, ensuring DMA buffers are correctly released during error cleanup. The attack surface is local and requires low privileges to trigger through network interface operations.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.252 | 0f589ee54fd6 |
| 5.15 | 5.15.202 | accd0599bc8e |
| 6.1 | 6.1.165 | 8320727be7ff |
| 6.12 | 6.12.75 | 1b1371cd4032 |
| 6.18 | 6.18.16 | 1b1d3c5d58a8 |
| 6.19 | 6.19.6 | 7e54ff938beb |
| 6.6 | 6.6.128 | 1e300c33ef3c |
| mainline | 7.0 | ffe68c376699 |