Skip to main content

Linux Kernel EUVDEUVD-2026-32285

| CVE-2026-45989 HIGH
Use After Free (CWE-416)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-26rf-29mw-gf9h
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local access and low privileges suffice (AV:L/PR:L), but exploitation requires CONFIG_OF_UNITTEST and winning a slab-reclaim race, so AC:H; successful UAF yields full kernel C/I/A impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 14:09 vuln.today
CVSS changed
Jun 16, 2026 - 14:07 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

of: unittest: fix use-after-free in testdrv_probe()

The function testdrv_probe() retrieves the device_node from the PCI device, applies an overlay, and then immediately calls of_node_put(dn). This releases the reference held by the PCI core, potentially freeing the node if the reference count drops to zero. Later, the same freed pointer 'dn' is passed to of_platform_default_populate(), leading to a use-after-free.

The reference to pdev->dev.of_node is owned by the device model and should not be released by the driver. Remove the erroneous of_node_put() to prevent premature freeing.

AnalysisAI

Use-after-free in the Linux kernel's Open Firmware (OF) device tree unittest driver (testdrv_probe) allows local low-privileged attackers to corrupt memory and potentially escalate privileges. The flaw stems from an erroneous of_node_put() call that releases a device_node reference owned by the device model, which can then be dereferenced later in of_platform_default_populate(). EPSS is very low (0.02%) and no public exploit identified at time of analysis, but a vendor patch is available.

Technical ContextAI

The bug lives in drivers/of/unittest.c, the kernel self-test code for the Open Firmware / Device Tree (OF/DT) overlay subsystem. testdrv_probe() obtains pdev->dev.of_node - a reference owned and managed by the PCI / device-model core - then incorrectly calls of_node_put() on it before passing the same pointer to of_platform_default_populate(). Because the device model still believes it owns the reference, the refcount can drop to zero and the struct device_node be freed, leaving 'dn' a dangling pointer that is subsequently dereferenced - a textbook CWE-416 Use-After-Free in kernel-space struct device_node lifetime management. The CPE data identifies the Linux kernel (cpe:2.3:o:linux:linux_kernel) as the only affected product, and the EUVD version data shows fixes backported into stable branches 6.6.140, 6.12.86, 6.18.27 and mainline 7.0.4 / 7.1-rc1.

RemediationAI

Vendor-released patch: upgrade to Linux 6.6.140, 6.12.86, 6.18.27, 7.0.4, or 7.1-rc1 (or later) on the corresponding stable branch, pulling the fix commits 07fd339b2c25, 5b6122a67a29, 6b2023286d2c, 0ba03e06f037 and d68347b07b98 from https://git.kernel.org/stable/. If immediate kernel update is not feasible, the most effective compensating control is to ensure CONFIG_OF_UNITTEST is disabled in the kernel build (it should never be set in production kernels) and that the of-unittest test module is not loadable; the side effect is loss of in-tree device-tree overlay self-tests, which is acceptable outside dev/CI environments. Restrict the ability of unprivileged users to load kernel modules (modules_disabled=1 or signed-module enforcement) to reduce the chance that a low-privileged local user can pull the vulnerable driver into a running kernel.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

EUVD-2026-32285 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy