Bug 2464449 (CVE-2026-43056) - CVE-2026-43056 kernel: net: mana: fix use-after-free in add_adev() error path
Summary: CVE-2026-43056 kernel: net: mana: fix use-after-free in add_adev() error path
Keywords:
Status: NEW
Alias: CVE-2026-43056
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-01 15:07 UTC by OSIDB Bzimport
Modified: 2026-06-19 23:21 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:25217 0 None None None 2026-06-11 10:13:31 UTC
Red Hat Product Errata RHSA-2026:27288 0 None None None 2026-06-19 23:21:57 UTC
Red Hat Product Errata RHSA-2026:27353 0 None None None 2026-06-19 16:51:13 UTC
Red Hat Product Errata RHSA-2026:27354 0 None None None 2026-06-19 16:29:41 UTC

Description OSIDB Bzimport 2026-05-01 15:07:26 UTC 
In the Linux kernel, the following vulnerability has been resolved:

net: mana: fix use-after-free in add_adev() error path

If auxiliary_device_add() fails, add_adev() jumps to add_fail and calls
auxiliary_device_uninit(adev).

The auxiliary device has its release callback set to adev_release(),
which frees the containing struct mana_adev. Since adev is embedded in
struct mana_adev, the subsequent fall-through to init_fail and access
to adev->id may result in a use-after-free.

Fix this by saving the allocated auxiliary device id in a local
variable before calling auxiliary_device_add(), and use that saved id
in the cleanup path after auxiliary_device_uninit().
Comment 1 Keith Grant 2026-05-01 19:00:37 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050108-CVE-2026-43056-fefd@gregkh/T
Comment 8 errata-xmlrpc 2026-06-11 10:13:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:25217 https://access.redhat.com/errata/RHSA-2026:25217
Comment 9 errata-xmlrpc 2026-06-19 16:29:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:27354 https://access.redhat.com/errata/RHSA-2026:27354
Comment 10 errata-xmlrpc 2026-06-19 16:51:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:27353 https://access.redhat.com/errata/RHSA-2026:27353
Comment 11 errata-xmlrpc 2026-06-19 23:21:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:27288 https://access.redhat.com/errata/RHSA-2026:27288
Note You need to log in before you can comment on or make changes to this bug.