HIGH Published 2026-05-08

iavf PTP UAF

CVE-2026-43447

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI5.8MEDIUM

01Description

In the Linux kernel, the following vulnerability has been resolved: iavf: fix PTP use-after-free during reset Commit 7c01dbfc8a1c5f ("iavf: periodically cache PHC time") introduced a worker to cache PHC time, but failed to stop it during reset or disable. This creates a race condition where `iavf_reset_task()` or `iavf_disable_vf()` free adapter resources (AQ) while the worker is still running. If the worker triggers `iavf_queue_ptp_cmd()` during teardown, it accesses freed memory/locks, leading to a crash. Fix this by calling `iavf_ptp_release()` before tearing down the adapter. This ensures `ptp_clock_unregister()` synchronously cancels the worker and cleans up the chardev before the backing resources are destroyed.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Local attackers with low privileges can exploit a use-after-free condition in the Intel iavf network driver's PTP worker thread during device reset. This affects systems using Intel SR-IOV virtual functions with PTP timestamping enabled. The vulnerability can result in information disclosure from freed heap memory, limited memory corruption, and kernel crash/denial of service.

Affecteddrivers/net/ethernet/intel/iavf/iavf_main.c (Intel iavf driver)

Vulnerability analysis

The vulnerability stems from improper worker thread lifecycle management in the iavf driver's PTP implementation. When iavf_reset_task() or iavf_disable_vf() tear down adapter resources including the admin queue (AQ), a concurrent PTP worker thread may still be running and attempt to access these freed resources via iavf_queue_ptp_cmd(). The race condition can lead to use-after-free access of heap memory and locks, resulting in potential information leak, memory corruption, and kernel crash. The fix adds iavf_ptp_release() calls before resource teardown, ensuring ptp_clock_unregister() synchronously cancels the worker thread and cleans up the PTP character device before the backing memory is freed. Exploitation requires local access to trigger network device reset or disable operations.

03Fix Versions

Branch	Fixed in	Patch commit
6.18	6.18.19	`1b034f2429ce`
6.19	6.19.9	`90cc8b2add29`
mainline	7.0	`efc54fb13d79`