CVE-2026-43149 Overview
CVE-2026-43149 is a memory management vulnerability in the Linux kernel's fsl_ucc_hdlc WAN driver. The flaw resides in the uhdlc_memclean() cleanup routine, which incorrectly frees DMA-coherent memory. The priv->rx_buffer and priv->tx_buffer regions are allocated as a single contiguous buffer in uhdlc_init() but released as two separate buffers during cleanup. This mismatch between allocation and deallocation produces an improper dma_free_coherent() call sequence affecting Freescale Unified Communications Controller (UCC) HDLC hardware.
Critical Impact
Improper DMA buffer release in the kernel can corrupt DMA allocator state, leading to memory corruption or denial of service on systems using the fsl_ucc_hdlc driver.
Affected Products
- Linux kernel versions containing the drivers/net/wan/fsl_ucc_hdlc.c driver prior to the fix
- Systems using Freescale QUICC Engine UCC HDLC controllers
- Stable kernel branches referenced by the upstream commits 011ae5d, 0f85a96, 36bd7d5, 6496fb8, 84b932b, ba8d842, d68994e, and d8a5220
Discovery Timeline
- 2026-05-06 - CVE-2026-43149 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43149
Vulnerability Analysis
The fsl_ucc_hdlc driver provides High-Level Data Link Control (HDLC) support for Freescale QUICC Engine UCC hardware. During initialization, uhdlc_init() performs a single dma_alloc_coherent() call sized to hold both the receive and transmit ring buffers. The driver then stores pointers into this region as priv->rx_buffer and priv->tx_buffer. These pointers reference offsets within one contiguous DMA allocation, not two independent allocations.
The uhdlc_memclean() teardown path treats them as separate allocations. It invokes dma_free_coherent() twice — once for the receive buffer and once for the transmit buffer. The DMA allocator receives a free request for an address it never returned from dma_alloc_coherent(), and a second free against the original allocation is effectively skipped or mishandled. The fix replaces the two cleanup calls with a single dma_free_coherent() invocation against the entire allocated region.
The vulnerability has an EPSS probability of 0.024%, indicating low likelihood of opportunistic exploitation.
Root Cause
The root cause is an asymmetry between paired allocation and free operations. Kernel DMA APIs require that each dma_alloc_coherent() be matched by exactly one dma_free_coherent() using the original returned virtual address, DMA handle, and size. Splitting a single allocation across two free calls violates this contract and can corrupt DMA bookkeeping. This pattern is consistent with [CWE-415: Double Free] and improper resource release semantics.
Attack Vector
The affected code path runs during driver teardown, typically triggered by module unload, device removal, or an initialization failure that invokes the cleanup routine. Triggering the bug requires the fsl_ucc_hdlc driver to be loaded against UCC HDLC hardware, which is found primarily on PowerPC-based Freescale QorIQ platforms. An attacker without local access cannot reach this code path remotely. Local privileged users able to load, unload, or reconfigure network drivers can reach the vulnerable function. The technical details are documented in the upstream Linux stable commits, including Kernel Git Commit d8a5220 and Kernel Git Commit 36bd7d5.
Detection Methods for CVE-2026-43149
Indicators of Compromise
- Kernel log messages from the DMA subsystem reporting freeing of an unknown or unmatched coherent allocation during fsl_ucc_hdlc unload
- Kernel oops or warning traces referencing uhdlc_memclean in the call stack
- DMA debug warnings (CONFIG_DMA_API_DEBUG) flagging release of an address not returned by dma_alloc_coherent()
Detection Strategies
- Inventory running kernels and confirm whether the fsl_ucc_hdlc module is built or loaded on Freescale QorIQ/PowerPC hosts
- Compare deployed kernel versions against the fixed stable branches identified by the listed upstream commit hashes
- Enable CONFIG_DMA_API_DEBUG in non-production builds to surface mismatched DMA free calls during driver lifecycle testing
Monitoring Recommendations
- Forward kernel ring buffer events containing strings such as fsl_ucc_hdlc, dma_free_coherent, and WARNING to a centralized log pipeline
- Alert on repeated module load/unload sequences for fsl_ucc_hdlc on production network appliances
- Track host stability metrics (kernel panics, watchdog resets) on devices using QUICC Engine UCC HDLC interfaces
How to Mitigate CVE-2026-43149
Immediate Actions Required
- Apply the upstream Linux kernel patch that consolidates uhdlc_memclean() into a single dma_free_coherent() call
- Update to a stable kernel release that incorporates the listed merge commits for the fsl_ucc_hdlc driver
- Restrict module loading and network device reconfiguration to trusted administrators on affected hardware
Patch Information
The fix is available in multiple Linux stable trees. Reference patches include Kernel Git Commit 011ae5d, Kernel Git Commit 0f85a96, Kernel Git Commit 6496fb8, Kernel Git Commit 84b932b, Kernel Git Commit ba8d842, and Kernel Git Commit d68994e. The patch replaces the two-call free sequence with a single dma_free_coherent() against the original allocation pointer, length, and DMA handle established in uhdlc_init().
Workarounds
- Blacklist the fsl_ucc_hdlc module on systems that do not require UCC HDLC connectivity until the patched kernel is deployed
- Avoid runtime unloading of the driver on production systems where a patched kernel is not yet available
- Limit physical and administrative access to QorIQ-based appliances where local users could trigger driver teardown
# Prevent fsl_ucc_hdlc from loading until the patched kernel is installed
echo 'blacklist fsl_ucc_hdlc' | sudo tee /etc/modprobe.d/blacklist-fsl-ucc-hdlc.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
