CVE-2026-43458 Overview
CVE-2026-43458 is a use-after-free vulnerability in the Linux kernel's caif_serial line discipline. The flaw resides in the transmit path, where caif_serial calls tty_write_room() and dereferences tty->link->port after the linked TTY has been freed. A reproducer triggers a KASAN slab-use-after-free in pty_write_room() when the CAIF serial driver accesses the stale pointer. The fix introduces an additional kref reference on tty->link held for the lifetime of the line discipline, acquired in ldisc_open() and released in ser_release() (or on the ldisc_open() error path).
Critical Impact
A local user able to attach the caif_serial line discipline to a pseudo-terminal can trigger kernel memory corruption, potentially leading to denial of service or local privilege escalation.
Affected Products
- Linux kernel versions containing the caif_serial line discipline prior to the fix
- Distributions shipping vulnerable stable kernel branches addressed by the referenced commits
- Systems where unprivileged users can open pseudo-terminals and set line disciplines
Discovery Timeline
- 2026-05-08 - CVE-2026-43458 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-43458
Vulnerability Analysis
The Communication CPU to Application CPU Interface (CAIF) serial driver implements a TTY line discipline named caif_serial. When the discipline is attached to one end of a pseudo-terminal (PTY) pair, the driver's transmit path invokes tty_write_room(), which on a PTY dereferences tty->link to read the peer's port structure.
The driver did not hold its own reference on tty->link. When the peer end of the PTY pair was closed and freed while the caif_serial side remained active, subsequent transmits accessed freed memory. KASAN flags this as a slab-use-after-free in pty_write_room(), with the faulting access on tty->link->port. The resulting kernel memory corruption can produce panics or be shaped for further exploitation [CWE-416].
Root Cause
The root cause is missing reference-count discipline on the paired TTY. The caif_serial line discipline relied on the lifetime of tty->link without explicitly pinning it. On PTYs, the link endpoint can be released independently, leaving a dangling pointer that the TX path later dereferences.
Attack Vector
A local user opens a PTY pair and attaches the caif_serial line discipline using ioctl(TIOCSETD). The attacker then closes the peer end of the PTY while keeping the CAIF side open and triggers a write. The TX path reaches tty_write_room() and reads tty->link->port from freed slab memory, corrupting kernel state.
The vulnerability is described in prose only. See the upstream fix commits referenced below for the patch implementation, including the added tty_kref_get() in ldisc_open() and matching tty_kref_put() in ser_release() and the error path.
Detection Methods for CVE-2026-43458
Indicators of Compromise
- KASAN reports in dmesg referencing slab-use-after-free in pty_write_room with call stacks through caif_serial TX functions
- Unexpected kernel oopses or panics on systems where unprivileged processes interact with PTYs and line disciplines
- Audit records showing non-root processes invoking ioctl(TIOCSETD) with the CAIF line discipline number
Detection Strategies
- Enable KASAN on test and pre-production kernels to surface the use-after-free during fuzzing and CI runs
- Inventory running kernel versions and cross-reference against the fixed commits listed in the kernel.org references
- Hunt process telemetry for unusual ioctl(TIOCSETD) activity binding caif_serial to TTYs from non-system accounts
Monitoring Recommendations
- Forward kernel ring buffer and auditd logs to a centralized analytics platform and alert on KASAN, BUG, or general protection fault entries
- Monitor module load events for caif_serial on systems that do not require CAIF functionality
- Track local privilege escalation precursors such as repeated kernel crashes on the same host
How to Mitigate CVE-2026-43458
Immediate Actions Required
- Apply the upstream stable kernel updates that include the caif_serial reference-counting fix
- On systems that do not require CAIF, blacklist or unload the caif_serial module to remove the attack surface
- Restrict access to pseudo-terminal creation and line-discipline configuration where operational policy allows
Patch Information
The fix is distributed across multiple stable kernel branches. Relevant commits include 23a3ac2e2262, 27e43356d0de, 288598d80a06, 35b58d3bc716, 52135420e9f7, 8460187b4852, 97a0bb491cae, and ca2ceba983bb. Each adds a kref on tty->link held for the lifetime of the line discipline.
Workarounds
- Prevent the caif_serial module from loading by adding it to /etc/modprobe.d/ blacklist files on systems that do not need CAIF
- Reduce exposure by limiting which users can allocate PTYs or change line disciplines through namespace and capability controls
- Maintain KASAN-enabled test kernels to catch regressions before deploying to production
# Configuration example
echo 'blacklist caif_serial' | sudo tee /etc/modprobe.d/disable-caif-serial.conf
echo 'install caif_serial /bin/true' | sudo tee -a /etc/modprobe.d/disable-caif-serial.conf
sudo depmod -a
sudo rmmod caif_serial 2>/dev/null || true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
