CVE-2026-45866 Linux CVE debrief

Who should care

Linux system administrators, kernel developers, embedded systems engineers using CAIF cellular modems, security teams monitoring kernel vulnerabilities, and organizations running Linux-based infrastructure with serial line discipline configurations

Technical summary

The CAIF (Cellular Access Interface) serial line discipline driver in the Linux kernel contains a use-after-free vulnerability. The issue stems from a race condition where tty_kref_put() is called in ldisc_close() while the network device remains active and can receive packets. Concurrently, handle_tx() may access ser->tty after it has been freed. The fix relocates tty_kref_put() to ser_release(), which executes after unregister_netdevice(), ensuring the TTY reference lifetime matches the network device lifetime. The ser->tty pointer is saved before unregister_netdevice() because the ser structure is embedded in netdev private data with needs_free_netdev=true.

Defensive priority

high

Recommended defensive actions

• Apply the appropriate stable kernel patch from the Linux kernel stable tree for your kernel version
• Update to a fixed kernel version once available through distribution channels
• If running custom kernels, cherry-pick the fix: move tty_kref_put() from ldisc_close() to ser_release() after unregister_netdevice()
• Monitor for kernel updates from your Linux distribution addressing this CVE

Evidence notes

The vulnerability description includes a detailed KASAN report showing a slab-use-after-free read in handle_tx() at offset 0x5d1/0x620. The race window is explicitly documented with CPU interleaving between ldisc_close() and caif_xmit() paths. Multiple stable kernel patches are available across supported versions.

Official resources