PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45866 Linux CVE debrief

A use-after-free vulnerability in the Linux kernel's CAIF serial line discipline (ldisc) driver allows local attackers to trigger memory corruption. The race condition occurs between ldisc_close() and packet transmission paths, where the TTY structure may be freed while still being accessed by handle_tx(). The vulnerability was resolved by moving tty_kref_put() from ldisc_close() to ser_release(), ensuring the TTY reference is held for the lifetime of the network device.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-06-25
Advisory published
2026-05-27
Advisory updated
2026-06-25

Who should care

Linux system administrators, kernel developers, embedded systems engineers using CAIF cellular modems, security teams monitoring kernel vulnerabilities, and organizations running Linux-based infrastructure with serial line discipline configurations

Technical summary

The CAIF (Cellular Access Interface) serial line discipline driver in the Linux kernel contains a use-after-free vulnerability. The issue stems from a race condition where tty_kref_put() is called in ldisc_close() while the network device remains active and can receive packets. Concurrently, handle_tx() may access ser->tty after it has been freed. The fix relocates tty_kref_put() to ser_release(), which executes after unregister_netdevice(), ensuring the TTY reference lifetime matches the network device lifetime. The ser->tty pointer is saved before unregister_netdevice() because the ser structure is embedded in netdev private data with needs_free_netdev=true.

Defensive priority

high

Recommended defensive actions

  • Apply the appropriate stable kernel patch from the Linux kernel stable tree for your kernel version
  • Update to a fixed kernel version once available through distribution channels
  • If running custom kernels, cherry-pick the fix: move tty_kref_put() from ldisc_close() to ser_release() after unregister_netdevice()
  • Monitor for kernel updates from your Linux distribution addressing this CVE

Evidence notes

The vulnerability description includes a detailed KASAN report showing a slab-use-after-free read in handle_tx() at offset 0x5d1/0x620. The race window is explicitly documented with CPU interleaving between ldisc_close() and caif_xmit() paths. Multiple stable kernel patches are available across supported versions.

Official resources

The vulnerability was disclosed via the Linux kernel stable tree with patches published on 2026-05-27. The issue was identified through KASAN (Kernel Address Sanitizer) detection of a slab-use-after-free condition in handle_tx(). A reproduс