Skip to main content

Linux Kernel EUVDEUVD-2026-28694

| CVE-2026-43388 HIGH
Use After Free (CWE-416)
2026-05-08 Linux GHSA-c2gp-49q2-6jxp
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 08, 2026 - 10:25 vuln.today
CVSS changed
May 26, 2026 - 15:07 NVD
7.8 (HIGH)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
HIGH 7.8
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

mm/damon/core: clear walk_control on inactive context in damos_walk()

damos_walk() sets ctx->walk_control to the caller-provided control structure before checking whether the context is running. If the context is inactive (damon_is_running() returns false), the function returns -EINVAL without clearing ctx->walk_control. This leaves a dangling pointer to a stack-allocated structure that will be freed when the caller returns.

This is structurally identical to the bug fixed in commit f9132fbc2e83 ("mm/damon/core: remove call_control in inactive contexts") for damon_call(), which had the same pattern of linking a control object and returning an error without unlinking it.

The dangling walk_control pointer can cause:

  1. Use-after-free if the context is later started and kdamond

dereferences ctx->walk_control (e.g., in damos_walk_cancel() which writes to control->canceled and calls complete())

  1. Permanent -EBUSY from subsequent damos_walk() calls, since the

stale pointer is non-NULL

Nonetheless, the real user impact is quite restrictive. The use-after-free is impossible because there is no damos_walk() callers who starts the context later. The permanent -EBUSY can actually confuse users, as DAMON is not running. But the symptom is kept only while the context is turned off. Turning it on again will make DAMON internally uses a newly generated damon_ctx object that doesn't have the invalid damos_walk_control pointer, so everything will work fine again.

Fix this by clearing ctx->walk_control under walk_control_lock before returning -EINVAL, mirroring the fix pattern from f9132fbc2e83.

AnalysisAI

Use-after-free condition in the Linux kernel's DAMON (Data Access MONitor) subsystem affects systems running kernel version 6.14 and related stable branches prior to the patched commits. A local low-privileged user can trigger a dangling pointer to a stack-allocated walk_control structure when damos_walk() is invoked against an inactive DAMON context, with no public exploit identified at time of analysis and an EPSS probability of just 0.02%.

Technical ContextAI

The flaw lives in mm/damon/core.c within the DAMON memory access monitoring framework, which provides data access pattern tracking and operation schemes (DAMOS) for memory management tuning. The root cause is CWE-416 (Use After Free): damos_walk() assigns the caller's stack-allocated damos_walk_control to ctx->walk_control before checking damon_is_running(), and when the context is inactive it returns -EINVAL without unlinking the now-dangling pointer. This mirrors a previously fixed pattern in commit f9132fbc2e83 affecting damon_call(). The CPE data (cpe:2.3:a:linux:linux) confirms the upstream Linux kernel is the affected product, with downstream distribution exposure noted via Red Hat and SUSE tags.

RemediationAI

Upstream fix available (commits ce0aa47c, 9320c771, d210fdca); released patched versions confirmed as Linux 6.18.19, 6.19.9, and 7.0 - upgrade to one of these or to a distribution kernel that has backported the fix. Red Hat and SUSE users should monitor their respective errata channels for backported updates referencing CVE-2026-43388. If patching must be deferred, a practical compensating control is to avoid running userspace tools that invoke the DAMOS walk interface (the sysfs/debugfs DAMON tuning utilities) against inactive contexts, since the dangling pointer is created only via damos_walk() on a non-running context; this has the side effect of disabling DAMON-based memory tuning workflows. Restricting CAP_SYS_ADMIN and access to DAMON's sysfs interface to trusted administrators further reduces who can trigger the path.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28694 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy