Use-after-free Vulnerability Affecting Linux Kernel PCI Glue Driver
CVE-2026-43015

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 1 May 2026

What is CVE-2026-43015?

A use-after-free vulnerability has been identified in the Linux kernel's PCI glue driver. The issue occurs when the platform_device_unregister() function attempts to utilize registered clocks after the platform device has been unregistered. This situation results in a potential memory access violation, leading to undefined behavior. The vulnerability was initially indicated in the commit d82d5303c4c5, which aimed to tackle similar issues but inadvertently transferred the flaw elsewhere. The mitigation involves preserving clock pointers in local variables for effective reuse after the device unregistration phase, thereby preventing such erroneous memory accesses.

Affected Version(s)

Linux 7721221e87d25c9840d9ca6b986dbdc410d5ce2b

Linux d82d5303c4c539db86588ffb5dc5b26c3f1513e8 < 67f70841a175fa3469119f52d77a3662c07507a2

Linux d82d5303c4c539db86588ffb5dc5b26c3f1513e8 < 2d96204e4184d6f7dd2f93c6f218fd0c1f55e9ae

References

https://git.kernel.org/stable/c/bf64cae913cdd4821f13d5d1d...

https://git.kernel.org/stable/c/67f70841a175fa3469119f52d...

https://git.kernel.org/stable/c/2d96204e4184d6f7dd2f93c6f...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 1, 2026
Vulnerability Reserved
May 1, 2026

CVE-2026-43015 Data

JSON