Skip to main content

Linux Kernel EUVDEUVD-2026-32810

| CVE-2026-46183 HIGH
Double Free (CWE-415)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-82v4-79hw-3g4g
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local sysfs access with low privileges (PR:L), but winning the kfree-vs-read race makes attack complexity high (AC:H); successful UAF in kernel memory yields full C/I/A impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 11, 2026 - 03:07 vuln.today
CVSS changed
Jun 11, 2026 - 03:07 NVD
7.8 (HIGH)
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.8

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock

damon_sysfs_quot_goal->path can be read and written by users, via DAMON sysfs 'path' file. It can also be indirectly read, for the parameters {on,off}line committing to DAMON. The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read. But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the path-pointing buffer. As a result, the readers could read the already freed buffer (user-after-free). Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking. Nonetheless, doing the reads and writes with separate open files would be common. Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.

AnalysisAI

Use-after-free in the Linux kernel's DAMON (Data Access MONitor) sysfs-schemes interface allows local users with sysfs access to read freed memory by racing concurrent reads and writes of the quota goal 'path' file across separate file descriptors. EPSS is 0.02% and no public exploit identified at time of analysis, but the CVSS 7.8 reflects full CIA impact if a local attacker can win the race.

Technical ContextAI

DAMON is the Linux kernel's Data Access MONitor subsystem, which exposes tunable quota goals through sysfs files under /sys/kernel/mm/damon. The damon_sysfs_quot_goal->path buffer is allocated/freed in response to user writes and read by both user reads and the {on,off}line parameter commit path. The commit path correctly holds damon_sysfs_lock, but direct user-driven reads and writes did not, so a writer's kfree() could race with a separate-fd reader of the same buffer. Although classified as CWE-415 (Double Free) in the input, the description matches CWE-416 (use-after-free) - the patch closes the race by extending damon_sysfs_lock coverage to both read and write paths.

RemediationAI

Upstream fix available (commit) - apply the patches at git.kernel.org/stable/c/a34ca3e33da4b924c66bcca3729bf68ec5936910 and git.kernel.org/stable/c/cf3b71421ca00807328c6d9cd242f9de3b77a4bf, or upgrade to a stable kernel that incorporates them (EUVD references a 7.0.7 patched release and a 7.1-rc2 fix). Track your distribution's security tracker for the corresponding backport before declaring a system patched. As a compensating control until rebooted onto a fixed kernel, restrict access to /sys/kernel/mm/damon/admin/kdamonds/*/contexts/*/schemes/*/quotas/goals/*/path to root only via udev/systemd-tmpfiles rules, or disable DAMON sysfs by unloading the feature / building with CONFIG_DAMON_SYSFS=n where DAMON is not in active use - the trade-off is loss of runtime DAMON tuning and monitoring for workloads that rely on it.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

EUVD-2026-32810 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy