CVE-2026-43497

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A use-after-free issue exists in the udlfb component of the fbdev subsystem. The dlfb ops mmap() function uses remap pfn range() to map vmalloc framebuffer pages to userspace without setting vm ops on the VMA, preventing the kernel from tracking active mmaps. Consequently, when dlfb realloc framebuffer() replaces the backing buffer via FBIOPUT VSCREENINFO, existing mmap PTEs (Page Table Entries) are not invalidated. Upon USB disconnect, dlfb ops destroy() calls vfree() on the old pages while userspace PTEs still reference them, allowing a process to retain read/write access to freed kernel pages.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.