HOMEVULNERABILITIESCVE-2026-43232
HIGH

CVE-2026-43232

Published: May 6, 2026· Updated: May 12, 2026

8.8
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:7.0th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

net: wan: farsync: Fix use-after-free bugs caused by unfinished tasklets

When the FarSync T-series card is being detached, the fst_card_info is

deallocated in fst_remove_one(). However, the fst_tx_task or fst_int_task

may still be running or pending, leading to use-after-free bugs when the

already freed fst_card_info is accessed in fst_process_tx_work_q() or

fst_process_int_work_q().

A typical race condition is depicted below:

CPU 0 (cleanup) | CPU 1 (tasklet)

| fst_start_xmit()

fst_remove_one() | tasklet_schedule()

unregister_hdlc_device()|

| fst_process_tx_work_q() //handler

kfree(card) //free | do_bottom_half_tx()

| card-> //use

The following KASAN trace was captured:

==================================================================

BUG: KASAN: slab-use-after-free in do_bottom_half_tx+0xb88/0xd00

Read of size 4 at addr ffff88800aad101c by task ksoftirqd/3/32

...

Call Trace:

<IRQ>

dump_stack_lvl+0x55/0x70

print_report+0xcb/0x5d0

? do_bottom_half_tx+0xb88/0xd00

kasan_report+0xb8/0xf0

? do_bottom_half_tx+0xb88/0xd00

do_bottom_half_tx+0xb88/0xd00

? _raw_spin_lock_irqsave+0x85/0xe0

? __pfx__raw_spin_lock_irqsave+0x10/0x10

? __pfx___hrtimer_run_queues+0x10/0x10

fst_process_tx_work_q+0x67/0x90

tasklet_action_common+0x1fa/0x720

? hrtimer_interrupt+0x31f/0x780

handle_softirqs+0x176/0x530

__irq_exit_rcu+0xab/0xe0

sysvec_apic_timer_interrupt+0x70/0x80

...

Allocated by task 41 on cpu 3 at 72.330843s:

kasan_save_stack+0x24/0x50

kasan_save_track+0x17/0x60

__kasan_kmalloc+0x7f/0x90

fst_add_one+0x1a5/0x1cd0

local_pci_probe+0xdd/0x190

pci_device_probe+0x341/0x480

really_probe+0x1c6/0x6a0

__driver_probe_device+0x248/0x310

driver_probe_device+0x48/0x210

__device_attach_driver+0x160/0x320

bus_for_each_drv+0x101/0x190

__device_attach+0x198/0x3a0

device_initial_probe+0x78/0xa0

pci_bus_add_device+0x81/0xc0

pci_bus_add_devices+0x7e/0x190

enable_slot+0x9b9/0x1130

acpiphp_check_bridge.part.0+0x2e1/0x460

acpiphp_hotplug_notify+0x36c/0x3c0

acpi_device_hotplug+0x203/0xb10

acpi_hotplug_work_fn+0x59/0x80

...

Freed by task 41 on cpu 1 at 75.138639s:

kasan_save_stack+0x24/0x50

kasan_save_track+0x17/0x60

kasan_save_free_info+0x3b/0x60

__kasan_slab_free+0x43/0x70

kfree+0x135/0x410

fst_remove_one+0x2ca/0x540

pci_device_remove+0xa6/0x1d0

device_release_driver_internal+0x364/0x530

pci_stop_bus_device+0x105/0x150

pci_stop_and_remove_bus_device+0xd/0x20

disable_slot+0x116/0x260

acpiphp_disable_and_eject_slot+0x4b/0x190

acpiphp_hotplug_notify+0x230/0x3c0

acpi_device_hotplug+0x203/0xb10

acpi_hotplug_work_fn+0x59/0x80

...

The buggy address belongs to the object at ffff88800aad1000

which belongs to the cache kmalloc-1k of size 1024

The buggy address is located 28 bytes inside of

freed 1024-byte region

The buggy address belongs to the physical page:

page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xaad0

head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0

flags: 0x100000000000040(head|node=0|zone=1)

page_type: f5(slab)

raw: 0100000000000040 ffff888007042dc0 dead000000000122 0000000000000000

raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000

head: 0100000000000040 ffff888007042dc0 dead000000000122 0000000000000000

head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000

head: 0100000000000003 ffffea00002ab401 00000000ffffffff 00000000ffffffff

head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000

page dumped because: kasan: bad access detected

Memory state around the buggy address:

ffff88800aad0f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

ffff88800aad0f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

>ffff88800aad1000: fa fb

---truncated---

NVD Source

Technical Analysis

CVE-2026-43232 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

Exploitation does not require any privileges, though user interaction (Required) is needed, which slightly reduces the risk of mass automated attacks.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 8.8.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.None
User InteractionRequired
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Vendors & Products

Linux1 product
linux kernel
Source: NVD CPE · 2 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (8)

Quick Facts

CVE IDCVE-2026-43232
CVSS Score8.8 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.02%
Affected1 vendor
PublishedMay 6, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-43232 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.