CVE-2026-43056 Overview
CVE-2026-43056 is a use-after-free vulnerability [CWE-416] in the Linux kernel's Microsoft Azure Network Adapter (MANA) ethernet driver. The flaw resides in the add_adev() function error-handling path. When auxiliary_device_add() fails, the code calls auxiliary_device_uninit(adev), which triggers the adev_release() callback and frees the containing struct mana_adev. The function then falls through to init_fail and dereferences adev->id after the structure has already been freed.
Critical Impact
A local attacker with the ability to trigger MANA auxiliary device initialization failure can corrupt kernel memory, leading to privilege escalation, kernel panic, or arbitrary code execution in kernel context.
Affected Products
- Linux Kernel (multiple stable branches prior to the fix commits)
- Linux Kernel 7.0-rc1 through 7.0-rc5 release candidates
- Distributions shipping the net/mana driver with the vulnerable add_adev() implementation
Discovery Timeline
- 2026-05-01 - CVE-2026-43056 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-43056
Vulnerability Analysis
The vulnerability exists in the MANA networking driver located at drivers/net/ethernet/microsoft/mana/. The add_adev() function allocates a struct mana_adev and registers an embedded auxiliary device. On the failure path, the cleanup sequence accesses memory that has already been released.
When auxiliary_device_add() returns an error, control jumps to the add_fail label, which invokes auxiliary_device_uninit(). Because the auxiliary device's release callback adev_release() calls kfree() on the parent mana_adev structure, all embedded fields, including adev->id, become invalid. The subsequent fall-through to the init_fail label reads adev->id to release the previously allocated IDA identifier, dereferencing freed kernel heap memory.
Use-after-free conditions in kernel allocator slabs are exploitable through heap grooming, where an attacker causes a controlled object to occupy the freed slot before the dangling read or write occurs.
Root Cause
The root cause is improper ordering of cleanup operations combined with unsafe reuse of a pointer whose backing allocation may already be released by a release callback. The mana_adev lifetime is tied to the auxiliary device reference count, but the error path treats adev->id as if it remains valid after auxiliary_device_uninit().
Attack Vector
Exploitation requires local access with privileges sufficient to trigger MANA driver auxiliary device registration failures. The attack vector is local with low attack complexity and low privileges required, with no user interaction. Successful exploitation can compromise confidentiality, integrity, and availability of the host kernel. The fix saves the allocated auxiliary device id to a local variable before calling auxiliary_device_add(), then uses the saved id during cleanup after auxiliary_device_uninit().
No public proof-of-concept exploit has been published, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2026-43056
Indicators of Compromise
- Unexpected kernel oops or panic messages referencing mana_adev, add_adev, or auxiliary_device_uninit in dmesg or /var/log/kern.log
- KASAN reports flagging use-after-free accesses within the MANA driver code paths
- Repeated MANA auxiliary device registration failures preceding kernel instability
Detection Strategies
- Audit running kernel versions against the patched commits 43f5b19f, 5f4061f8, c4ea7d89, d88541ff, and e5a75bf0 from the upstream stable tree
- Enable KASAN on test kernels to surface use-after-free conditions during MANA driver fault injection
- Monitor kernel ring buffer for repeated auxiliary_device_add failures that could indicate exploitation attempts
Monitoring Recommendations
- Forward kernel logs to a centralized logging platform and alert on MANA driver error patterns
- Track unexpected reboots or kernel crashes on Azure-hosted Linux instances using the MANA NIC
- Correlate local privilege escalation indicators with kernel crash telemetry to identify exploitation attempts
How to Mitigate CVE-2026-43056
Immediate Actions Required
- Identify all Linux hosts running affected kernel versions, prioritizing Azure virtual machines that use the MANA network adapter
- Apply vendor-supplied kernel updates from your Linux distribution as soon as they become available
- Restrict local shell access on multi-tenant systems to limit the population of users able to trigger the local attack vector
Patch Information
The fix has been merged into the upstream Linux kernel across multiple stable branches. Reference the official commits: Kernel Git Commit 43f5b19, Kernel Git Commit 5f4061f, Kernel Git Commit c4ea7d8, Kernel Git Commit d88541f, and Kernel Git Commit e5a75bf. Rebuild and reboot into the patched kernel to remove the vulnerable code path.
Workarounds
- Unload the mana kernel module on systems that do not require the Microsoft Azure Network Adapter using modprobe -r mana
- Blacklist the MANA driver where the hardware is not present by adding blacklist mana to /etc/modprobe.d/
- Enforce least-privilege policies and remove unprivileged shell access on systems that cannot be patched immediately
# Verify kernel version and check for MANA driver presence
uname -r
lsmod | grep mana
# Blacklist MANA driver where not required
echo "blacklist mana" | sudo tee /etc/modprobe.d/blacklist-mana.conf
sudo update-initramfs -u
# Apply distribution kernel updates
sudo apt update && sudo apt upgrade linux-image-generic # Debian/Ubuntu
sudo dnf update kernel # RHEL/Fedora
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
