Skip to main content

Linux Kernel CVE-2026-46280

| EUVDEUVD-2026-35145 HIGH
Use After Free (CWE-416)
2026-06-08 Linux GHSA-vjjg-r28q-g2g4
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
5.8 MEDIUM

Local access to a test-only module with low privileges (PR:L); race-like fault ordering raises AC:H; availability is the dominant impact (panic), with limited C/I from UAF.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 14, 2026 - 06:25 vuln.today
CVSS changed
Jun 14, 2026 - 06:22 NVD
7.8 (HIGH)
Patch available
Jun 08, 2026 - 18:01 EUVD
CVE Published
Jun 08, 2026 - 15:41 cve.org
HIGH 7.8
CVE Published
Jun 08, 2026 - 15:41 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

lib: test_hmm: evict device pages on file close to avoid use-after-free

Patch series "Minor hmm_test fixes and cleanups".

Two bugfixes a cleanup for the HMM kernel selftests. These were mostly reported by Zenghui Yu with special thanks to Lorenzo for analysing and pointing out the problems.

This patch (of 3):

When dmirror_fops_release() is called it frees the dmirror struct but doesn't migrate device private pages back to system memory first. This leaves those pages with a dangling zone_device_data pointer to the freed dmirror.

If a subsequent fault occurs on those pages (eg. during coredump) the dmirror_devmem_fault() callback dereferences the stale pointer causing a kernel panic. This was reported [1] when running mm/ksft_hmm.sh on arm64, where a test failure triggered SIGABRT and the resulting coredump walked the VMAs faulting in the stale device private pages.

Fix this by calling dmirror_device_evict_chunk() for each devmem chunk in dmirror_fops_release() to migrate all device private pages back to system memory before freeing the dmirror struct. The function is moved earlier in the file to avoid a forward declaration.

AnalysisAI

Use-after-free in the Linux kernel's HMM (Heterogeneous Memory Management) test driver (lib/test_hmm) allows local users to trigger a kernel panic and potentially escalate privileges when device private pages are faulted in after the dmirror file descriptor is closed. The flaw was discovered during arm64 selftest runs where a SIGABRT coredump walked stale VMAs and dereferenced a dangling zone_device_data pointer. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but the bug is fixed upstream across multiple stable trees.

Technical ContextAI

The affected component is lib/test_hmm.c, the kernel selftest module for HMM device private memory used to validate the migrate_to_ram fault path for ZONE_DEVICE pages. On dmirror_fops_release(), the dmirror struct was being freed without first calling dmirror_device_evict_chunk() to migrate device private pages back to system memory, so the page->zone_device_data pointer continued to reference freed memory. A later page fault - for example during coredump VMA walking - invoked dmirror_devmem_fault() on those stale pages, dereferencing the dangling pointer. This is a classic CWE-416 (Use After Free) condition rooted in resource lifecycle mismanagement between file release and device-memory page ownership. Affected CPE strings are cpe:2.3:a:linux:linux:*, and the bug is present in kernels that build the HMM selftest module (CONFIG_TEST_HMM), which is typically only enabled on test/QA kernels rather than production distributions.

RemediationAI

Vendor-released patch: upgrade to Linux 6.6.140, 6.12.86, 6.18.27, 7.0.4, or 7.1-rc1 (or later) depending on your stable series, per the kernel.org stable commits at https://git.kernel.org/stable/c/9de1eb0aac2862d6144b8db0ec1388e79f8bc3e1, https://git.kernel.org/stable/c/38f113f81d3f0adc658a4475dd3ecaec985e21d3, https://git.kernel.org/stable/c/bf477abd448c76bb8ea51c9b4f63a3a17c4b6239, https://git.kernel.org/stable/c/744dd97752ef1076a8d8672bb0d8aa2c7abc1144, and https://git.kernel.org/stable/c/5846715b6382dd4c6a69b35a56ca6115d33bc2a0. As a compensating control until rebuild, set CONFIG_TEST_HMM=n and rebuild the kernel - this removes the vulnerable module entirely at the cost of losing HMM selftest coverage on that host; if rebuilding is not possible, blacklist the test_hmm module via /etc/modprobe.d and restrict permissions on /dev/hmm_dmirror* device nodes to root only, with the side effect of breaking any local HMM test tooling. Avoid generating coredumps from processes that have mapped HMM device-private pages on unpatched test kernels, since coredump-triggered faults are the specific path that surfaces the UAF.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-46280 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy