目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1336

100%

CVE-2026-45866— Linux kernel 安全漏洞

AI 预测 6.5 利用难度: 中等 EPSS 0.16% · P6

影响版本矩阵 18

厂商产品版本范围状态
LinuxLinux56e0ef527b184b3de2d7f88c6190812b2b2ac6bf< 5e266ba8d330d3b8e5bc198f238cd8901826cfa1affected
56e0ef527b184b3de2d7f88c6190812b2b2ac6bf< d3c75db4e0460641dbcd274b40867e252d801da1affected
56e0ef527b184b3de2d7f88c6190812b2b2ac6bf< 4e63d6f68544ae5269ac9735ae5b69b59b5b8725affected
56e0ef527b184b3de2d7f88c6190812b2b2ac6bf< 331e2b7051635780edea248dd08ae2026c126f4aaffected
56e0ef527b184b3de2d7f88c6190812b2b2ac6bf< 52731ef4438155cea782fac74e547a327ab9e7c5affected
56e0ef527b184b3de2d7f88c6190812b2b2ac6bf< c8c197aaa56b25a2d54f3aa07e27e228d6c08546affected
56e0ef527b184b3de2d7f88c6190812b2b2ac6bf< 40962f2bf8cdba63af23aec95ad3f49b689e58e2affected
56e0ef527b184b3de2d7f88c6190812b2b2ac6bf< 308e7e4d0a846359685f40aade023aee7b27284caffected
… +10 条更多
获取后续新漏洞提醒登录后订阅

一、 漏洞 CVE-2026-45866 基础信息

漏洞信息

对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗

尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。

Vulnerability Title
serial: caif: fix use-after-free in caif_serial ldisc_close()
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: serial: caif: fix use-after-free in caif_serial ldisc_close() There is a use-after-free bug in caif_serial where handle_tx() may access ser->tty after the tty has been freed. The race condition occurs between ldisc_close() and packet transmission: CPU 0 (close) CPU 1 (xmit) ------------- ------------ ldisc_close() tty_kref_put(ser->tty) [tty may be freed here] <-- race window --> caif_xmit() handle_tx() tty = ser->tty // dangling ptr tty->ops->write() // UAF! schedule_work() ser_release() unregister_netdevice() The root cause is that tty_kref_put() is called in ldisc_close() while the network device is still active and can receive packets. Since ser and tty have a 1:1 binding relationship with consistent lifecycles (ser is allocated in ldisc_open and freed in ser_release via unregister_netdevice, and each ser binds exactly one tty), we can safely defer the tty reference release to ser_release() where the network device is unregistered. Fix this by moving tty_kref_put() from ldisc_close() to ser_release(), after unregister_netdevice(). This ensures the tty reference is held as long as the network device exists, preventing the UAF. Note: We save ser->tty before unregister_netdevice() because ser is embedded in netdev's private data and will be freed along with netdev (needs_free_netdev = true). How to reproduce: Add mdelay(500) at the beginning of ldisc_close() to widen the race window, then run the reproducer program [1]. Note: There is a separate deadloop issue in handle_tx() when using PORT_UNKNOWN serial ports (e.g., /dev/ttyS3 in QEMU without proper serial backend). This deadloop exists even without this patch, and is likely caused by inconsistency between uart_write_room() and uart_write() in serial core. It has been addressed in a separate patch [2]. KASAN report: ================================================================== BUG: KASAN: slab-use-after-free in handle_tx+0x5d1/0x620 Read of size 1 at addr ffff8881131e1490 by task caif_uaf_trigge/9929 Call Trace: <TASK> dump_stack_lvl+0x10e/0x1f0 print_report+0xd0/0x630 kasan_report+0xe4/0x120 handle_tx+0x5d1/0x620 dev_hard_start_xmit+0x9d/0x6c0 __dev_queue_xmit+0x6e2/0x4410 packet_xmit+0x243/0x360 packet_sendmsg+0x26cf/0x5500 __sys_sendto+0x4a3/0x520 __x64_sys_sendto+0xe0/0x1c0 do_syscall_64+0xc9/0xf80 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f615df2c0d7 Allocated by task 9930: Freed by task 64: Last potentially related work creation: The buggy address belongs to the object at ffff8881131e1000 which belongs to the cache kmalloc-cg-2k of size 2048 The buggy address is located 1168 bytes inside of freed 2048-byte region [ffff8881131e1000, ffff8881131e1800) The buggy address belongs to the physical page: page_owner tracks the page as allocated page last free pid 9778 tgid 9778 stack trace: Memory state around the buggy address: ffff8881131e1380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881131e1400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8881131e1480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881131e1500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881131e1580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== [1]: https://gist.github.com/mrpre/f683f244544f7b11e7fa87df9e6c2eeb [2]: https://lore.kernel.org/linux-serial/20260204074327.226165-1-jiayuan.chen@linux.dev/T/#u
来源: 美国国家漏洞数据库 NVD
CVSS Information
N/A
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
N/A
来源: 美国国家漏洞数据库 NVD
Vulnerability Title
Linux kernel 安全漏洞
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于caif_serial线路规程关闭时存在释放后重用,可能导致在tty释放后访问ser->tty。
来源: 中国国家信息安全漏洞库 CNNVD
CVSS Information
N/A
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Type
N/A
来源: 中国国家信息安全漏洞库 CNNVD

受影响产品

厂商产品影响版本CPE订阅
LinuxLinux 56e0ef527b184b3de2d7f88c6190812b2b2ac6bf ~ 5e266ba8d330d3b8e5bc198f238cd8901826cfa1 -
LinuxLinux 3.11 -

二、漏洞 CVE-2026-45866 的公开POC

#POC 描述源链接神龙链接
AI 生成 POC高级

未找到公开 POC。

登录以生成 AI POC

三、漏洞 CVE-2026-45866 的情报信息

登录查看更多情报信息。

CVE-2026-45866 补丁与修复 (8)

同批安全公告 · Linux · 2026-05-27 · 共 275 条

CVE-2026-458989.8 CRITICALLinux kernel 安全漏洞
CVE-2026-460399.8 CRITICALLinux kernel 安全漏洞
CVE-2026-459729.8 CRITICALLinux kernel 安全漏洞
CVE-2026-459889.8 CRITICALLinux kernel 安全漏洞
CVE-2026-460439.1 CRITICALLinux kernel 安全漏洞
CVE-2026-459458.8 HIGHLinux kernel 安全漏洞
CVE-2026-460568.8 HIGHLinux kernel 安全漏洞
CVE-2026-458438.2 HIGHLinux kernel 安全漏洞
CVE-2026-460378.2 HIGHLinux kernel 安全漏洞
CVE-2026-460108.1 HIGHLinux kernel 安全漏洞
CVE-2026-460998.1 HIGHLinux kernel 安全漏洞
CVE-2026-460767.9 HIGHLinux kernel 安全漏洞
CVE-2026-459597.8 HIGHLinux kernel 安全漏洞
CVE-2026-459567.8 HIGHLinux kernel 安全漏洞
CVE-2026-459107.8 HIGHLinux kernel 安全漏洞
CVE-2026-460937.8 HIGHLinux kernel 安全漏洞
CVE-2026-460537.8 HIGHLinux kernel 安全漏洞
CVE-2026-459357.8 HIGHLinux kernel 安全漏洞
CVE-2026-458627.8 HIGHLinux kernel 安全漏洞
CVE-2026-458947.8 HIGHLinux kernel 安全漏洞

显示前 20 条,共 275 条。 查看全部 &rarr; →

IV. Related Vulnerabilities

V. Comments for CVE-2026-45866

暂无评论


发表评论