CVE-2026-43447 Overview
CVE-2026-43447 is a use-after-free vulnerability in the Linux kernel's Intel Adaptive Virtual Function (iavf) network driver. The flaw resides in the Precision Time Protocol (PTP) subsystem, where a worker thread cached PHC (PTP Hardware Clock) time without being stopped during driver reset or disable operations. This creates a race condition between the PTP worker and the teardown paths in iavf_reset_task() and iavf_disable_vf(). If the worker invokes iavf_queue_ptp_cmd() while adapter resources are being released, it accesses freed memory and locks, causing a kernel crash.
Critical Impact
A local attacker triggering driver resets on systems using the iavf virtual function driver can cause kernel memory corruption, leading to denial of service or potential local privilege escalation.
Affected Products
- Linux kernel versions containing commit 7c01dbfc8a1c5f ("iavf: periodically cache PHC time")
- Systems using the Intel Adaptive Virtual Function (iavf) driver with PTP enabled
- Virtualized environments leveraging SR-IOV with Intel network adapters
Discovery Timeline
- 2026-05-08 - CVE-2026-43447 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-43447
Vulnerability Analysis
The vulnerability is a use-after-free condition [CWE-416] in the iavf driver's PTP implementation. Commit 7c01dbfc8a1c5f introduced a periodic worker that caches PHC time to reduce hardware register access overhead. The worker continues executing during driver teardown paths because neither iavf_reset_task() nor iavf_disable_vf() synchronously stops it before releasing adapter resources.
When the worker calls iavf_queue_ptp_cmd() concurrently with teardown, it dereferences pointers to the Admin Queue (AQ) and other adapter structures that have already been freed. This results in kernel memory corruption with consequences ranging from kernel panic to exploitable memory state manipulation by a local attacker.
Root Cause
The root cause is missing lifecycle synchronization between the PTP cache worker and the driver's reset and disable paths. The original patch added the worker but did not register a corresponding stop or cancellation step in the teardown sequence, violating the invariant that all asynchronous work must complete before backing resources are released.
Attack Vector
Exploitation requires local access with privileges sufficient to trigger an iavf reset, which can occur through interface administration, driver reload, or virtual function manipulation. The race window opens whenever the reset or disable path executes while the PTP worker is scheduled. The CVSS vector indicates a local attack vector with low privileges and no user interaction, yielding high impact to confidentiality, integrity, and availability.
The vulnerability mechanism is described in the upstream commit messages. See the kernel commit references for the technical fix.
Detection Methods for CVE-2026-43447
Indicators of Compromise
- Unexpected kernel panics or BUG: KASAN: use-after-free messages referencing iavf_queue_ptp_cmd or iavf_ptp functions in dmesg.
- Kernel oops events correlated with iavf driver reset operations or virtual function state changes.
- Crash dumps showing freed Admin Queue (AQ) memory access from worker thread context.
Detection Strategies
- Enable KASAN (Kernel Address Sanitizer) on test systems running the iavf driver to catch use-after-free conditions during reset scenarios.
- Monitor kernel logs for stack traces involving iavf_reset_task, iavf_disable_vf, and PTP worker functions occurring in close temporal proximity.
- Audit installed kernel versions against the fixed commits to identify exposed hosts.
Monitoring Recommendations
- Track frequency of iavf driver resets and PTP-related kernel messages across virtualized fleets.
- Alert on repeated SR-IOV virtual function disable or reset operations from non-administrative contexts.
- Centralize kernel crash telemetry to identify clustered failures pointing to this race condition.
How to Mitigate CVE-2026-43447
Immediate Actions Required
- Apply the upstream kernel patches referenced in commits 1b034f2429ce, 90cc8b2add29, and efc54fb13d79 once available in your distribution's kernel package.
- Inventory all systems running the iavf driver, particularly virtualization hosts and guests using Intel SR-IOV virtual functions.
- Restrict local access and limit privileges that allow triggering driver resets or virtual function state changes.
Patch Information
The fix calls iavf_ptp_release() before tearing down the adapter, ensuring ptp_clock_unregister() synchronously cancels the worker and cleans up the chardev before backing resources are destroyed. Patches are available in the upstream Linux kernel stable trees via the commits listed in the external references.
Workarounds
- Disable PTP functionality on iavf interfaces where precision time is not required, reducing the worker activity that triggers the race.
- Avoid manual driver resets and minimize SR-IOV virtual function reconfiguration on production systems until patches are deployed.
- Apply strict access controls on CAP_NET_ADMIN and related capabilities to reduce the local attack surface.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
