HIGH
serial caif UAF
CVE-2026-43458
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.3HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: serial: caif: hold tty->link reference in ldisc_open and ser_release A reproducer triggers a KASAN slab-use-after-free in pty_write_room() when caif_serial's TX path calls tty_write_room(). The faulting access is on tty->link->port. Hold an extra kref on tty->link for the lifetime of the caif_serial line discipline: get it in ldisc_open() and drop it in ser_release(), and also drop it on the ldisc_open() error path. With this change applied, the reproducer no longer triggers the UAF in my testing.
02KernelScan AI Analysis
Risk summary
Local users can trigger a use-after-free vulnerability in the CAIF serial line discipline by manipulating TTY/PTY reference counts. This can lead to kernel memory corruption, information disclosure from freed slab objects, and system crashes, with potential for privilege escalation. Systems with the CAIF line discipline enabled and exposing local TTY access are at risk.
Vulnerability analysis
The CAIF serial line discipline failed to hold a reference count on tty->link objects, causing a use-after-free when the TX path calls tty_write_room() and accesses tty->link->port after the linked TTY has been freed. The fix adds proper reference counting by taking an additional tty_kref_get() on tty->link during ldisc_open() and releasing it in ser_release() and the error path. The vulnerability is reachable locally via pseudo-terminals (PTYs) and does not require physical serial hardware.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | 23a3ac2e2262 |
| 5.15 | 5.15.203 | 52135420e9f7 |
| 6.1 | 6.1.167 | ca2ceba983bb |
| 6.12 | 6.12.78 | 27e43356d0de |
| 6.18 | 6.18.19 | 35b58d3bc716 |
| 6.19 | 6.19.9 | 97a0bb491cae |
| 6.6 | 6.6.130 | 8460187b4852 |
| mainline | 7.0 | 288598d80a06 |