Skip to main content

Linux Kernel CVE-2026-46075

| EUVDEUVD-2026-32457 HIGH
Use After Free (CWE-416)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-66q3-24gv-6744
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.0 MEDIUM

Triggering the remove path requires privileged driver unbind (PR:H) and winning a teardown race (AC:H); UAF yields limited info leak (C:L) plus memory corruption and crash (I:H/A:H).

3.1 AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 17:08 vuln.today
CVSS changed
Jun 24, 2026 - 17:07 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path

Unregister the hwrng to prevent new ->read() calls and flush the Atmel I2C workqueue before teardown to prevent a potential UAF if a queued callback runs while the device is being removed.

Drop the early return to ensure sysfs entries are removed and ->hwrng.priv is freed, preventing a memory leak.

AnalysisAI

Local privilege escalation and memory corruption in the Linux kernel's atmel-sha204a crypto driver allows an attacker who can remove or unbind the device to trigger a use-after-free during the driver teardown path. The flaw stems from failing to unregister the hwrng and flush the Atmel I2C workqueue before teardown, letting a queued ->read() callback execute against freed state, and an early return that also leaks the hwrng.priv allocation. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, so this is a defense-in-depth hardening fix rather than an urgent emergency.

Technical ContextAI

The affected code is drivers/crypto/atmel-sha204a.c, the kernel driver for Microchip/Atmel ATSHA204A secure-element chips that hang off an I2C bus and expose a hardware random number generator (hwrng) to the kernel's crypto/RNG subsystem. The root cause is CWE-416 (Use-After-Free): during device removal the driver did not call hwrng_unregister() to stop new ->read() calls and did not flush the shared Atmel I2C workqueue, so an in-flight asynchronous callback could dereference driver state after it was freed. A separate early return in the remove path skipped sysfs cleanup and freeing of hwrng.priv, producing a memory leak. The fix reorders teardown to unregister the hwrng and flush the workqueue first, then removes the early return so all resources are released.

RemediationAI

Vendor-released patch: update to a fixed stable kernel - 6.6.140, 6.12.86, 6.18.27, 7.0.4, or mainline 7.1-rc1 - or your distribution's backport that incorporates the corresponding commits (e.g. https://git.kernel.org/stable/c/bab1adf3b87e4bfac92c4f5963c63db434d561c1 and the other listed stable hashes). Because the bug is only reachable on the driver teardown path, an effective compensating control until you can reboot into a patched kernel is to avoid removing/unbinding the atmel-sha204a device (do not write to its sysfs unbind entry or hot-remove the I2C device) and to restrict root/admin access that could trigger an unbind; if the ATSHA204A chip is not used, blacklisting the atmel-sha204a module (modprobe blacklist) removes the vulnerable code path entirely, at the cost of losing that hardware RNG/secure-element support.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46075 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy