Skip to main content

Linux Kernel CVE-2026-46285

| EUVDEUVD-2026-35150 HIGH
Use After Free (CWE-416)
2026-06-08 Linux GHSA-42x9-78r4-7gj5
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
4.4 MEDIUM

Reaching docg3_release() requires privileged device/module teardown (PR:H) on local systems with the specific driver; the dangling-pointer read most plausibly causes a crash, so A:H with no confirmed C/I impact.

3.1 AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 21:51 vuln.today
CVSS changed
Jul 08, 2026 - 21:37 NVD
7.8 (HIGH)
Patch available
Jun 08, 2026 - 18:01 EUVD
CVE Published
Jun 08, 2026 - 15:41 nvd
HIGH 7.8
CVE Published
Jun 08, 2026 - 15:41 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

mtd: docg3: fix use-after-free in docg3_release()

In docg3_release(), the docg3 pointer is obtained from cascade->floors[0]->priv before the loop that calls doc_release_device() on each floor. doc_release_device() frees the docg3 struct via kfree(docg3) at line 1881. After the loop, docg3->cascade->bch dereferences the already-freed pointer.

Fix this by accessing cascade->bch directly, which is equivalent since docg3->cascade points back to the same cascade struct, and is already available as a local variable. This also removes the now-unused docg3 local variable.

AnalysisAI

Local memory corruption in the Linux kernel's mtd/docg3 M-Systems DiskOnChip driver occurs when docg3_release() dereferences a docg3 pointer already freed by doc_release_device() (kfree at line 1881), a CWE-416 use-after-free reachable during device teardown. Only systems that load the docg3 driver for DiskOnChip G3 flash hardware are affected. There is no public exploit identified at time of analysis, EPSS is negligible (0.02%, 7th percentile), and the issue is not in CISA KEV; it has been fixed upstream across multiple stable branches.

Technical ContextAI

The affected component is the MTD (Memory Technology Device) subsystem's docg3 driver, which supports M-Systems/Sandisk DiskOnChip G3 NAND-flash-on-chip devices. The root cause is a classic use-after-free (CWE-416): docg3_release() caches a docg3 pointer from cascade->floors[0]->priv, then a loop calls doc_release_device() on each floor, which frees that same struct via kfree(docg3). After the loop, code dereferences docg3->cascade->bch - a read through the dangling pointer. The fix references cascade->bch directly (the cascade struct is still valid and available as a local), eliminating the stale docg3 dereference. CPE data identifies the affected product as linux:linux (cpe:2.3:a:linux:linux:*).

RemediationAI

Vendor-released patch: upgrade to a fixed stable kernel - 5.10.258, 5.15.209, 6.1.175, 6.6.140, 6.12.86, 6.18.27, 7.0.4, or 7.1-rc1 (or later on your branch); the corresponding upstream commits are at https://git.kernel.org/stable/ (e.g. 8408655ec8344511667b61d8257dc59c80ee3391, f5d2ed4ed47d3906e2495a3537a48b127f497a17). Distribution users should apply Ubuntu USN-8489-1 and USN-8488-1 or the equivalent vendor kernel update and reboot. As a compensating control on systems that do not use DiskOnChip G3 hardware, prevent the driver from loading by blacklisting the docg3 module (e.g. an /etc/modprobe.d entry with 'blacklist docg3' and 'install docg3 /bin/true'), which fully removes the affected code path with no functional side effect on hardware that lacks the device; restricting root/CAP_SYS_MODULE also limits who can trigger the teardown path, at the cost of tighter operational constraints.

Share

CVE-2026-46285 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy