Skip to main content

Linux Kernel EUVDEUVD-2026-28612

| CVE-2026-43328 HIGH
Double Free (CWE-415)
2026-05-08 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-jm8j-3fg5-f3c9
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 18, 2026 - 12:52 vuln.today
CVSS changed
May 18, 2026 - 12:52 NVD
7.8 (HIGH)
Patch available
May 08, 2026 - 15:02 EUVD
CVE Published
May 08, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path

When kobject_init_and_add() fails, cpufreq_dbs_governor_init() calls kobject_put(&dbs_data->attr_set.kobj).

The kobject release callback cpufreq_dbs_data_release() calls gov->exit(dbs_data) and kfree(dbs_data), but the current error path then calls gov->exit(dbs_data) and kfree(dbs_data) again, causing a double free.

Keep the direct kfree(dbs_data) for the gov->init() failure path, but after kobject_init_and_add() has been called, let kobject_put() handle the cleanup through cpufreq_dbs_data_release().

AnalysisAI

Double-free condition in the Linux kernel's cpufreq governor subsystem affects multiple stable branches and can lead to memory corruption when an error path in cpufreq_dbs_governor_init() is triggered. The flaw stems from redundant cleanup logic that calls gov->exit() and kfree(dbs_data) twice after a kobject_init_and_add() failure, and no public exploit identified at time of analysis. EPSS exploitation probability is very low (0.02%, 7th percentile), consistent with a local memory-safety bug requiring privileged access rather than a remote attack surface.

Technical ContextAI

The vulnerability resides in the cpufreq governor framework (drivers/cpufreq/cpufreq_governor.c), which manages dynamic CPU frequency scaling policies such as ondemand and conservative. When cpufreq_dbs_governor_init() calls kobject_init_and_add() to register the governor's sysfs interface and that registration fails, kobject_put() invokes the cpufreq_dbs_data_release() callback, which itself calls gov->exit(dbs_data) and kfree(dbs_data); the prior error path then repeated those same cleanup operations, releasing the same memory twice. This is a textbook CWE-415 (Double Free) defect: freeing an already-freed heap allocation can corrupt slab allocator metadata, enabling use-after-free style exploitation primitives. The affected CPE strings span Linux kernel versions from the 5.2 lineage through the 7.0-rc series, indicating the bug was long-lived across stable branches.

RemediationAI

Vendor-released patch: upgrade to Linux kernel 5.10.253, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, or 7.0 (or later) depending on your stable branch, per the EUVD record and the kernel.org stable-tree commits listed (019ea286, 3bf9d023, 427d048e, 56bc91ee, 6dcf9d00, d2703b4f, da39ee62 at https://git.kernel.org/stable/c/). Distribution users should apply the corresponding distro kernel update (e.g., RHEL, Ubuntu, SUSE backports) once published and reboot to activate the patched kernel. As a compensating control until patching, restrict local shell access to trusted users and limit container/sandbox tenants' ability to interact with /sys/devices/system/cpu/cpufreq/ - note this can break userland tools that legitimately tune CPU governors (e.g., tuned, cpupower, thermald) and may degrade power-management observability. Avoid frequent governor switching from low-privilege contexts that could repeatedly traverse the vulnerable init path.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28612 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy