Skip to main content

Linux Kernel CVE-2026-46121

| EUVDEUVD-2026-32880 HIGH
Use After Free (CWE-416)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-496c-fq9m-2rhq
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local-only sysfs access (AV:L); winning a race window makes it AC:H; PR:L for the file-access requirement; the UAF can disclose and corrupt kernel memory giving C/I/A:H.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 19:01 vuln.today
CVSS changed
Jun 24, 2026 - 16:52 NVD
7.8 (HIGH)
Patch available
May 28, 2026 - 12:31 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.8
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock

Patch series "mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path".

Reads of 'memcg_path' and 'path' files in DAMON sysfs interface could race with their writes, results in use-after-free. Fix those.

This patch (of 2):

damon_sysfs_scheme_filter->mmecg_path can be read and written by users, via DAMON sysfs memcg_path file. It can also be indirectly read, for the parameters {on,off}line committing to DAMON. The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read. But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the memcg_path-pointing buffer. As a result, the readers could read the already freed buffer (user-after-free). Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking. Nonetheless, doing the reads and writes with separate open files would be common. Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.

AnalysisAI

Use-after-free in the Linux kernel's DAMON sysfs interface (mm/damon/sysfs-schemes) lets a local actor with access to the 'memcg_path' file race a read against a concurrent write that frees the underlying buffer, accessing freed kernel memory. The flaw affects DAMON-enabled builds across the 6.6.96, 6.12.36, 6.15.5 and 6.16-rc lines, and is fixed by serializing both direct reads and writes under damon_sysfs_lock. EPSS is negligible (0.02%, 5th percentile) and there is no public exploit identified at time of analysis; it is not in CISA KEV.

Technical ContextAI

DAMON (Data Access MONitor) is the in-kernel data access monitoring subsystem exposed to userspace through a sysfs interface under /sys/kernel/mm/damon. Scheme filters can target a memory cgroup by path via the 'memcg_path' file, backed by a heap buffer pointed to by damon_sysfs_scheme_filter->memcg_path. Reads of that file (including indirect reads when parameters are committed online/offline, which were already serialized by damon_sysfs_lock) could run concurrently with a user-driven write that frees and reallocates the buffer. Because the direct user reads and writes did not take damon_sysfs_lock, a reader could dereference an already-freed allocation. This is a classic CWE-416 use-after-free arising from missing lock-based serialization of an object's lifetime. Per CPE data the affected component is cpe:2.3:o:linux:linux_kernel across multiple stable lines and 6.16 release candidates (rc4-rc7).

RemediationAI

Vendor-released patch: update to a fixed stable kernel - 6.6.140, 6.12.88, 7.0.7 (and 7.1-rc2), or 6.16 with the fix applied, per the EUVD-listed patch versions; the upstream fix serializes memcg_path reads and writes under damon_sysfs_lock and was merged in the stable commits referenced at git.kernel.org (e.g. https://git.kernel.org/stable/c/c88802d0e8edd14b6cd2daf3000f99adbc4c85c5). Apply your distribution's corresponding kernel update once published and reboot. If immediate patching is not possible, restrict access to the DAMON sysfs tree - ensure /sys/kernel/mm/damon and its scheme files are root-owned and not exposed to unprivileged users or containers (avoid bind-mounting it into containers), which prevents untrusted writers from triggering the race at the cost of losing userspace DAMON tuning for those principals; alternatively, on systems that do not need access-aware reclaim/monitoring, build or boot a kernel without CONFIG_DAMON_SYSFS, which removes the vulnerable interface entirely but disables DAMON's sysfs-driven features.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46121 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy