Skip to main content

Linux Kernel EUVDEUVD-2026-35153

| CVE-2026-46288 HIGH
Use After Free (CWE-416)
2026-06-08 Linux GHSA-5j9p-c334-fvcp
8.4
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
8.4 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
5.2 MEDIUM

Reaching the UAF requires a kernel built and booted with CONFIG_OF_UNITTEST and a race window, so AV:L, AC:H, PR:H; primary impact is kernel crash with limited info leak.

3.1 AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H
4.0 AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 14, 2026 - 06:25 vuln.today
CVSS changed
Jun 14, 2026 - 06:22 NVD
8.4 (HIGH)
Patch available
Jun 08, 2026 - 18:01 EUVD
CVE Published
Jun 08, 2026 - 15:41 cve.org
HIGH 8.4
CVE Published
Jun 08, 2026 - 15:41 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

of: unittest: fix use-after-free in of_unittest_changeset()

The variable 'parent' is assigned the value of 'nchangeset' earlier in the function, meaning both point to the same struct device_node. The call to of_node_put(nchangeset) can decrement the reference count to zero and free the node if there are no other holders. After that, the code still uses 'parent' to check for the presence of a property and to read a string property, leading to a use-after-free.

Fix this by moving the of_node_put() call after the last access to 'parent', avoiding the UAF.

AnalysisAI

Use-after-free in the Linux kernel's Open Firmware (OF) device-tree unit test code (of_unittest_changeset) allows reads of freed memory when the unit test path executes. The flaw lives in selftest code (drivers/of/unittest.c) reachable only when CONFIG_OF_UNITTEST is built in and the test runs, making real-world impact narrow. EPSS is 0.02% (5th percentile) and there is no public exploit identified at time of analysis; the bug has been fixed upstream and backported to stable trees.

Technical ContextAI

The defect is in the Linux kernel Open Firmware / device-tree subsystem, specifically the in-kernel self-test of_unittest_changeset() in drivers/of/unittest.c. Two local variables (parent and nchangeset) alias the same struct device_node. The code calls of_node_put(nchangeset), which decrements the kref and, if no other reference is held, frees the node via the OF subsystem's release path. The function then dereferences parent to call of_find_property() and read a string property, producing a classic use-after-free (CWE-416 class, although the input lists CWE as N/A). Affected CPE is cpe:2.3:a:linux:linux:*, with vulnerable commits descending from 1c668ea65506 and fixes 37318d1a27c9, faecdd423c27, 6fdad20b7975, and 7f0f0926f301 landed across the stable trees.

RemediationAI

Vendor-released patch: upgrade to Linux 6.12.86, 6.18.27, 7.0.4, or 7.1-rc1 (or newer) on the corresponding stable line, which include the fix that moves of_node_put() after the last use of the aliased parent pointer (commits at https://git.kernel.org/stable/c/37318d1a27c9cc5a70d3cd7e49e30ec86f2b8ca1 and the sibling backports at /7f0f0926f3010b10cff5e93446258f971e42f2fd, /6fdad20b7975bdc32e85b45f8f7c640f6687b81f, /faecdd423c27f0d6090156a435ba9dbbac0eaddb). As an interim compensating control, rebuild the kernel with CONFIG_OF_UNITTEST disabled, or omit the of_unittest module from boot, which removes the vulnerable code path entirely at the cost of losing OF self-test coverage on that kernel; this is a safe trade-off for production systems where the selftest is not required. Track distro advisories via the NVD entry and vendor (Linux) stable announcements.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

EUVD-2026-35153 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy