Skip to main content

Linux Kernel EUVDEUVD-2026-35142

| CVE-2026-46277 HIGH
2026-06-08 Linux GHSA-jqww-wr6j-993j
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local attacker with unprivileged access, but exploitation requires winning a folio-reallocation race against a driver callback, so AC:H rather than AC:L; kernel UAF yields full C/I/A impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 14, 2026 - 06:24 vuln.today
CVSS changed
Jun 14, 2026 - 06:22 NVD
7.8 (HIGH)
Patch available
Jun 08, 2026 - 18:01 EUVD
CVE Published
Jun 08, 2026 - 15:41 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 08, 2026 - 15:41 cve.org
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

mm/zone_device: do not touch device folio after calling ->folio_free()

The contents of a device folio can immediately change after calling ->folio_free(), as the folio may be reallocated by a driver with a different order. Instead of touching the folio again to extract the pgmap, use the local stack variable when calling percpu_ref_put_many().

AnalysisAI

Use-after-free in the Linux kernel's mm/zone_device subsystem allows local attackers with low privileges to corrupt memory or escalate privileges by exploiting a race where a device folio is accessed after the driver's ->folio_free() callback has already reallocated it with a potentially different order. The flaw affects systems using ZONE_DEVICE memory (typically with DAX, HMM, or GPU/accelerator drivers exposing device-backed folios) and carries a 7.8 CVSS with low EPSS (0.02%, 5th percentile), indicating high theoretical impact but no public exploit identified at time of analysis.

Technical ContextAI

The bug lives in mm/zone_device.c, which manages ZONE_DEVICE pages used for persistent memory (DAX), HMM-managed device memory, and pgmap-backed allocations from drivers (e.g., NVIDIA/AMD GPU drivers, nvdimm). The fix discipline is a textbook use-after-free (CWE-416, though not tagged in the input): after the page allocator invokes the pgmap's ->folio_free() callback, ownership of the folio returns to the driver, which may immediately reallocate it at a different compound order. The previous code re-dereferenced the folio to retrieve pgmap for the subsequent percpu_ref_put_many() call, reading freed/reused metadata. The patch caches the pgmap pointer on the local stack before invoking the callback, eliminating the post-free dereference. CPE strings identify Linux kernel as the affected component generically; EUVD pins the fix landing in 6.19 and stable backports 7.0.4 and 7.1-rc1.

RemediationAI

Upstream fix available (commits 85be0a26 and 39928984 on kernel.org); upgrade to Linux 6.19, stable 7.0.4, or 7.1-rc1, or pull the equivalent backport from your distribution once published (Red Hat, SUSE, Ubuntu, Debian, Oracle have not been cross-referenced in the input). The two kernel.org commit URLs (git.kernel.org/stable/c/85be0a262e39c706edb53c88af8afde2e98222ba and git.kernel.org/stable/c/39928984956037cabd304321cb8f342e47421db5) document the exact change for distros building custom kernels. Where immediate patching is not possible, the most targeted compensating control is to avoid loading drivers that allocate ZONE_DEVICE folios on untrusted-local hosts - specifically, disable or unload device_dax/kmem, HMM-using GPU drivers (nouveau/amdgpu/nvidia with HMM), and nvdimm modules; trade-off is loss of persistent-memory and unified-memory functionality. On multi-tenant systems where those drivers are required, restrict local logins and container break-out surface (seccomp/landlock, no-new-privs, drop CAP_SYS_ADMIN from workloads) to reduce reach to the affected code paths.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

EUVD-2026-35142 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy