HIGH
net/mana ServiceWQ UAF
CVE-2026-43440
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI4.7MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: net/mana: Null service_wq on setup error to prevent double destroy In mana_gd_setup() error path, set gc->service_wq to NULL after destroy_workqueue() to match the cleanup in mana_gd_cleanup(). This prevents a use-after-free if the workqueue pointer is checked after a failed setup.
02KernelScan AI Analysis
Risk summary
A use-after-free vulnerability in the Microsoft Azure Network Adapter (MANA) driver could allow local attackers with administrative privileges to cause system crashes or limited memory corruption. The vulnerability occurs when PCI device setup fails and leaves a dangling workqueue pointer that is later dereferenced during cleanup, leading to a double-free condition.
Vulnerability analysis
The vulnerability exists in the mana_gd_setup() error handling path where destroy_workqueue() is called but the service_wq pointer is not nullified. This creates a dangling pointer that is dereferenced during subsequent cleanup (e.g., PCI rescan or driver unload), causing a double destroy of the workqueue. The fix adds gc->service_wq = NULL after workqueue destruction to match the cleanup pattern in mana_gd_cleanup(). The attack surface is limited to systems with MANA hardware and requires administrative privileges to trigger PCI device setup or rescan operations.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.19 | 59489ce60d74 |
| 6.19 | 6.19.9 | 6c92392602b4 |