Skip to main content

Linux Kernel EUVDEUVD-2026-32480

| CVE-2026-46097 HIGH
Use After Free (CWE-416)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-69mg-vw3h-xm3v
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.4 MEDIUM

Local-only via debugfs (AV:L); winning a teardown race makes AC:H; debugfs access is typically root-restricted (PR:H); kernel UAF can yield memory disclosure and corruption (C/I/A:H).

3.1 AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 21:23 vuln.today
CVSS changed
Jun 25, 2026 - 21:22 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

Input: edt-ft5x06 - fix use-after-free in debugfs teardown

The commit 68743c500c6e ("Input: edt-ft5x06 - use per-client debugfs directory") removed the manual debugfs teardown, relying on the I2C core to handle it. However, this creates a window where debugfs files are still accessible after edt_ft5x06_ts_teardown_debugfs() frees tsdata->raw_buffer.

To prevent a use-after-free, protect the freeing of raw_buffer with the device mutex and set raw_buffer to NULL. The debugfs read function already checks if raw_buffer is NULL under the same mutex, so this safely avoids the use-after-free.

AnalysisAI

Use-after-free in the Linux kernel's edt-ft5x06 capacitive touchscreen driver (CWE-416) lets a local actor with access to the driver's per-client debugfs interface read or corrupt freed kernel memory during device teardown. The regression was introduced by commit 68743c500c6e, which removed manual debugfs cleanup and left a window where debugfs files referencing tsdata->raw_buffer remained accessible after the buffer was freed. No public exploit identified at time of analysis; EPSS is very low (0.02%, 4th percentile) and it is not in CISA KEV, but a vendor (stable-tree) patch is available.

Technical ContextAI

The affected component is the edt-ft5x06 driver (drivers/input/touchscreen/edt-ft5x06.c), an I2C driver for FocalTech/EDT capacitive touch controllers exposed via the kernel's debugfs pseudo-filesystem. Commit 68743c500c6e ("use per-client debugfs directory") delegated debugfs directory removal to the I2C core, but edt_ft5x06_ts_teardown_debugfs() still frees tsdata->raw_buffer separately, creating a temporal gap in which the debugfs 'raw_data' read handler can dereference the already-freed buffer. This is a classic CWE-416 use-after-free arising from inconsistent object lifetime management between the I2C core's deferred debugfs teardown and the driver's manual buffer free. The fix serializes freeing under the existing device mutex and NULLs the pointer, so the read path (which already checks for NULL under the same mutex) cannot race the free.

RemediationAI

Vendor-released patch: update to a fixed stable kernel - 6.18.27, 7.0.4, or 7.1-rc1 (or backport the fix commits a516d43886623e3cca5fa3446bed8fc7c7982be2 / 9f6c5e7b747d40e1c65cbfcb975857d25154c075 / f5f9e07060519e2287e99019a6de1eb3ebb65c37 from https://git.kernel.org/stable/). The fix protects the freeing of raw_buffer with the device mutex and sets it to NULL. Where immediate patching is not possible, compensating controls include not mounting debugfs in production (or mounting it with mode 0700 owned by root only), which removes the attack surface at the cost of losing debug/diagnostic access; or unbinding/blacklisting the edt-ft5x06 module on devices that do not need the touchscreen, which disables the affected hardware. These mitigations are only relevant on devices that actually use this driver, so most server fleets are unaffected by default.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

EUVD-2026-32480 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy