Skip to main content

Linux Kernel CVE-2026-46308

| EUVDEUVD-2026-35173 HIGH
Use After Free (CWE-416)
2026-06-08 Linux GHSA-rpc3-vj77-cxwg
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local vector and low privileges match the config/probe path, but triggering a probe-time UAF and winning the slab race raises complexity to AC:H; kernel-memory impact keeps C/I/A high.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 14:55 vuln.today
CVSS changed
Jul 08, 2026 - 14:52 NVD
7.8 (HIGH)
Patch available
Jun 08, 2026 - 18:01 EUVD
CVE Published
Jun 08, 2026 - 15:46 nvd
HIGH 7.8
CVE Published
Jun 08, 2026 - 15:46 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

pmdomain: mediatek: fix use-after-free in scpsys_get_bus_protection_legacy()

In scpsys_get_bus_protection_legacy(), of_find_node_with_property() returns a device node with its reference count incremented. The function then calls of_node_put(node) before checking whether syscon_regmap_lookup_by_phandle() returns an error. If an error occurs, dev_err_probe() dereferences the node pointer to print diagnostic information, but the node memory may have already been freed due to the earlier of_node_put(), leading to a use-after-free vulnerability.

Fix this by moving the of_node_put() call after the error check, ensuring the node is still valid when accessed in the error path.

AnalysisAI

Local privilege escalation and memory corruption in the Linux kernel's MediaTek power-domain (pmdomain) driver stems from a use-after-free in scpsys_get_bus_protection_legacy(), where a device node is released via of_node_put() before the error path dereferences it in dev_err_probe(). Affecting kernels using the MediaTek SCPSYS legacy bus-protection code path (typically ARM/ARM64 MediaTek SoC platforms), a local low-privileged attacker able to influence the probe error path could corrupt freed kernel memory, with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and EPSS exploitation probability is negligible (0.02%, 4th percentile).

Technical ContextAI

The flaw lives in the MediaTek System Control Processor System (SCPSYS) power-domain driver within the kernel's pmdomain subsystem. During probe, scpsys_get_bus_protection_legacy() calls of_find_node_with_property(), which returns a device-tree node with an incremented reference count. The code prematurely calls of_node_put(node), dropping that reference, and only afterward checks whether syscon_regmap_lookup_by_phandle() failed. In the failure branch, dev_err_probe() dereferences the already-released node to print diagnostics. This is a classic CWE-416 Use-After-Free: the object's lifetime (reference count) is ended before the last legitimate access, so the pointer may reference freed slab memory. Per the CPE data the affected product is the Linux kernel (cpe:2.3:a:linux:linux), and exposure is limited to configurations that compile and exercise this MediaTek legacy code path.

RemediationAI

Apply the vendor-released kernel patch by upgrading to a fixed stable release: Linux 6.18.30 or later for the 6.18 series, 7.0.7 or later for the 7.0 series, or 7.1-rc3/7.1 for the development branch. Distribution users should install the corresponding vendor kernel update as soon as it ships. If immediate patching is not possible, the exposure is inherently limited to systems that build and load the MediaTek SCPSYS legacy driver, so a compensating control is to run kernels/configurations that do not enable the affected MediaTek power-domain code path on non-MediaTek hardware (trade-off: none for non-MediaTek platforms; not applicable where the driver is required). The upstream fix simply moves the of_node_put() call after the error check so the node remains valid when dev_err_probe() dereferences it; the exact fix commits are cb27e43c0511e9e1ca8818d231656070b11c18cf, 38d8410021b55d226847b2ac8d189d89fe5a8866, and ec1fcddb3117d9452210e838fd37389ee61e10e8 at git.kernel.org/stable.

CVE-2017-3216 CRITICAL POC
9.8 Jun 20

WiMAX routers based on the MediaTek SDK (libmtk) that use a custom httpd plugin are vulnerable to an authentication bypa

CVE-2019-15027 CRITICAL POC
9.8 Aug 14

The MediaTek Embedded Multimedia Card (eMMC) subsystem for Android on MT65xx, MT66xx, and MT8163 SoC devices allows atta

CVE-2016-6492 HIGH POC
7.8 Jan 12

The MT6573FDVT_SetRegHW function in camera_fdvt.c in the MediaTek driver for Linux allows local users to gain privileges

CVE-2021-37584 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle the WPS (Wi-Fi Protected

CVE-2021-37583 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols. Rat

CVE-2021-37571 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols. Rat

CVE-2021-37569 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols. Rat

CVE-2021-37568 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols. Rat

CVE-2021-37566 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols. Rat

CVE-2021-37563 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle the WPS (Wi-Fi Protected

CVE-2021-37561 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle the WPS (Wi-Fi Protected

CVE-2021-37560 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle the WPS (Wi-Fi Protected

Share

CVE-2026-46308 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy