CVE-2026-43332 Overview
CVE-2026-43332 is a use-after-free vulnerability in the Linux kernel thermal subsystem. The flaw resides in the thermal zone device registration error path within thermal_zone_device_register_with_trips(). When registration fails after the thermal zone device has been registered, the kernel does not wait for the tz->removal completion before freeing the structure. If user space has obtained a reference to the thermal zone's kobject, thermal_release() may not be invoked, and the tz structure can be freed prematurely. This creates a race condition allowing local attackers to trigger memory corruption in kernel space.
Critical Impact
Local attackers with low privileges can exploit this race condition to corrupt kernel memory, potentially leading to privilege escalation, denial of service, or arbitrary code execution in kernel context.
Affected Products
- Linux Kernel versions prior to the patched stable releases
- Linux Kernel 6.7.2
- Linux Kernel 7.0 release candidates (rc1 through rc6)
Discovery Timeline
- 2026-05-08 - CVE-2026-43332 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-43332
Vulnerability Analysis
The vulnerability exists in the Linux kernel thermal core subsystem, specifically in the device registration error handling logic. The function thermal_zone_device_register_with_trips() registers a thermal zone device and exposes it via sysfs. When subsequent initialization steps fail, the cleanup path must safely tear down the registered device.
The error path lacks a wait_for_completion() call on tz->removal, which is required to synchronize with any concurrent user-space reference acquisition on the device kobject. The normal teardown function thermal_zone_device_unregister() correctly performs this wait, but the error path does not. As a result, the thermal zone structure can be freed while user space still holds a valid reference, producing a classic use-after-free condition.
Root Cause
The root cause is missing synchronization between the registration error path and kobject reference counting in sysfs. When user space opens a thermal zone attribute concurrently with a failing registration, the kobject reference is held outside the kernel's expected cleanup sequence. The error path proceeds to release tz without confirming all references have been dropped, violating the lifetime contract that thermal_release() enforces during normal unregistration.
Attack Vector
Exploitation requires local access with low privileges. An attacker must time access to thermal zone sysfs attributes precisely while a registration failure occurs. The narrow race window makes reliable exploitation difficult, but local privilege escalation is theoretically achievable through kernel heap manipulation following the use-after-free. The vulnerability does not require user interaction and affects confidentiality, integrity, and availability.
No public proof-of-concept exploit is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability is 0.013%, reflecting the low likelihood of widespread exploitation in the near term.
Detection Methods for CVE-2026-43332
Indicators of Compromise
- Unexpected kernel oops or panic messages referencing thermal_zone_device, thermal_release, or kobject cleanup functions
- Kernel slab-use-after-free reports from KASAN involving thermal subsystem allocations
- Repeated thermal zone registration failures correlated with concurrent sysfs access from unprivileged processes
Detection Strategies
- Enable Kernel Address Sanitizer (KASAN) on test and pre-production kernels to surface use-after-free conditions in the thermal subsystem
- Monitor dmesg and journald for kernel warnings referencing thermal_zone_device_register_with_trips failures
- Audit kernel versions across the fleet to identify hosts running affected Linux kernel versions including 6.7.2 and 7.0 release candidates
Monitoring Recommendations
- Collect kernel crash dumps and analyze stack traces for thermal subsystem involvement
- Track unprivileged processes that access /sys/class/thermal/ attributes at high frequency, which could indicate race condition exploitation attempts
- Forward kernel telemetry to a centralized data lake for retrospective hunting and correlation across hosts
How to Mitigate CVE-2026-43332
Immediate Actions Required
- Inventory all Linux systems running affected kernel versions and prioritize patching based on exposure to local users
- Apply the upstream stable kernel patches referenced by the Linux kernel maintainers as soon as vendor-provided builds become available
- Restrict local shell access on multi-tenant systems and harden container runtime configurations to limit access to thermal sysfs interfaces
Patch Information
The fix adds the missing wait_for_completion() call to the thermal zone device registration error path, mirroring the behavior of thermal_zone_device_unregister(). Patches are available in the upstream stable tree under the following commits: Kernel Patch Commit 4d390f0, Kernel Patch Commit 604da9c, Kernel Patch Commit 9e07e3b, Kernel Patch Commit 9e796001, and Kernel Patch Commit c4c7219. Distribution vendors will incorporate these fixes into stable kernel releases.
Workarounds
- Limit user-space access to /sys/class/thermal/ through restrictive file system permissions or mandatory access control policies such as SELinux or AppArmor
- Disable loadable thermal drivers on systems that do not require dynamic thermal management, reducing the surface for triggering registration failures
- Apply kernel live-patching solutions where available to deploy the fix without requiring a reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
