CVE-2026-43015 Overview
CVE-2026-43015 is a use-after-free vulnerability in the Linux kernel's Cadence MACB/GEM Ethernet driver (macb). The flaw resides in the PCI glue driver removal path, where platform_device_unregister() may still invoke the runtime resume callback after the associated clocks have been freed. Removing the macb_pci module triggers macb_runtime_resume(), which calls clk_prepare() on memory already released by clk_unregister(). The bug surfaced in kernel 6.1.164 and earlier streams through KASAN reports during modprobe -r operations on systems running the MACB Ethernet driver.
Critical Impact
Local users with module-management privileges can trigger kernel memory corruption during driver unload, potentially leading to denial of service or further exploitation of the freed slab object.
Affected Products
- Linux kernel macb Ethernet driver (Cadence MACB/GEM) when used with the PCI glue driver macb_pci
- Linux kernel 6.1.164 and other stable branches referenced by the upstream commits
- Distributions shipping the unpatched drivers/net/ethernet/cadence/macb_pci.c
Discovery Timeline
- 2026-05-01 - CVE-2026-43015 published to NVD
- 2026-05-01 - Last updated in NVD database
Technical Details for CVE-2026-43015
Vulnerability Analysis
The macb_pci driver registers fixed-rate clocks during macb_probe() and then registers a child platform device that binds to the core macb driver. On module removal, macb_remove() first calls clk_unregister() to free the clock structures, then calls platform_device_unregister() to tear down the child device. The unregister path triggers a runtime resume on the platform device before deletion. That resume callback, macb_runtime_resume(), calls clk_prepare() on the clock pointers stored in the driver's private data, which now reference freed slab memory.
KASAN captures the read of size 8 inside clk_prepare+0x5a/0x60 originating from macb_runtime_resume+0x13d/0x410, confirmed by allocation in __clk_register during probe and free in clk_unregister during remove. The fix retains local pointers to the clocks before unregistering the platform device, then calls clk_unregister() on the saved pointers after the platform device tear-down completes.
Root Cause
The driver releases clock objects before the platform device is fully torn down. Because the runtime power-management subsystem performs a resume during bus_remove_device(), the macb core dereferences pointers that clk_unregister() has already freed. This is a classic Use-After-Free [CWE-416] caused by incorrect ordering of resource release versus device unregistration.
A prior commit d82d5303c4c5 ("net: macb: fix use after free on rmmod") attempted to address the same class of bug but only relocated the defect rather than eliminating the ordering hazard.
Attack Vector
Exploitation requires local access with the ability to load and unload kernel modules, typically CAP_SYS_MODULE. An attacker triggering removal of the macb_pci module on a vulnerable host produces a deterministic use-after-free against a recently freed clock structure. The freed slab object can be reclaimed by an adversary-controlled allocation between the free and the dereference, enabling a write or read against attacker-shaped data inside clk_prepare(). The bug is not reachable over the network and depends on local privileges and the presence of the MACB Ethernet device or its emulation.
The vulnerability mechanism is captured in the upstream KASAN report; no public exploit is available, and the patched commits replace the unsafe ordering with cached local pointers reused only after platform_device_unregister() returns.
Detection Methods for CVE-2026-43015
Indicators of Compromise
- KASAN splats containing use-after-free in clk_prepare with a call stack including macb_runtime_resume and platform_device_unregister
- Kernel oops or panic during rmmod macb_pci or modprobe -r macb_pci on affected systems
- Unexpected NIC link loss followed by kernel taint flags on hosts running Cadence MACB hardware or QEMU emulation
Detection Strategies
- Inventory running kernels and identify hosts using the macb and macb_pci modules via lsmod and package metadata
- Compare installed kernel package versions against the fixed commits referenced in the upstream stable trees
- Enable KASAN or KFENCE in test environments to catch the use-after-free deterministically during driver unload tests
Monitoring Recommendations
- Forward dmesg and /var/log/kern.log to a centralized log pipeline and alert on KASAN, BUG:, and use-after-free strings
- Audit delete_module and init_module syscalls with auditd or eBPF tracing to detect unauthorized module unloads
- Track kernel panic and oops counters on systems with embedded MACB controllers or virtualized environments using the driver
How to Mitigate CVE-2026-43015
Immediate Actions Required
- Apply the upstream stable kernel updates that include the fixed commits in drivers/net/ethernet/cadence/macb_pci.c
- Restrict module load and unload privileges to administrative accounts and remove CAP_SYS_MODULE from non-privileged users
- Avoid runtime removal of the macb_pci module on production hosts until patches are applied
Patch Information
The Linux kernel maintainers have merged fixes across multiple stable branches. The change saves clock pointers to local variables before calling platform_device_unregister() and only invokes clk_unregister() on those local pointers afterward. Refer to the upstream commits: 16ab4c0e2b15, 2d96204e4184, 3496fb9e66f7, 67f70841a175, b3f799cdf830, bf64cae913cd, ce8fe5287b87, and f310a836da90.
Workarounds
- Blacklist the macb_pci module on systems that do not require Cadence MACB Ethernet support using /etc/modprobe.d/
- Disable user namespaces and tighten kernel.modules_disabled=1 after boot on systems that do not need to load or unload modules at runtime
- Limit physical and SSH access to administrators on devices with embedded MACB controllers until kernel updates are deployed
# Configuration example: prevent further module unload after boot
sudo sysctl -w kernel.modules_disabled=1
echo 'kernel.modules_disabled = 1' | sudo tee /etc/sysctl.d/99-modules-lock.conf
# Optionally blacklist the affected glue driver where unused
echo 'blacklist macb_pci' | sudo tee /etc/modprobe.d/blacklist-macb_pci.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
