Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2026-43497— fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free

AI Predicted 6.5 Difficulty: Moderate

Possible ATT&CK Techniques 1AI

T1055.008 · Ptrace System Calls

Affected Version Matrix 10

VendorProductVersion RangeStatus
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2< 4f312c30f0368e8d2a76aa650dff73f23490b5e7affected
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2< 18dd358de72d57993422cbb5dfb29ccd74efe192affected
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2< da9b065cedfd3b574f229d5be594e6aa47a27ae6affected
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2< a2c53a3822ee26e8d758071815b9ed3bf6669fc1affected
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2< 8de779dc40d35d39fa07387b6f921eb11df0f511affected
6.6.140≤ 6.6.*unaffected
6.12.88≤ 6.12.*unaffected
6.18.30≤ 6.18.*unaffected
… +2 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-43497

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_ops on the VMA. This means the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() replaces the backing buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages. Add vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs. Tested with PoC using dummy_hcd + raw_gadget USB device emulation.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 7433914efd584b22bb49d3e1eee001f5d0525ecd ~ 4f312c30f0368e8d2a76aa650dff73f23490b5e7 -
LinuxLinux 4.19 -

II. Public POCs for CVE-2026-43497

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-43497

登录查看更多情报信息。
Patch · 5

Same Patch Batch · Linux · 2026-05-21 · 8 CVEs total

CVE-2026-43502net/rds: handle zerocopy send cleanup before the message is queued
CVE-2026-43501ipv6: rpl: reserve mac_len headroom when recompressed SRH grows
CVE-2026-43498accel/ivpu: Disallow re-exporting imported GEM objects
CVE-2026-43499rtmutex: Use waiter::task instead of current in remove_waiter()
CVE-2026-43496net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked
CVE-2026-43495net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler
CVE-2026-43494net/rds: reset op_nents when zerocopy page pin fails

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2026-43497

No comments yet

Leave a comment