CVE-2026-43328
Received Received - Intake
Double Free in Linux Kernel cpufreq Governor

Publication date: 2026-05-08

Last updated on: 2026-06-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path When kobject_init_and_add() fails, cpufreq_dbs_governor_init() calls kobject_put(&dbs_data->attr_set.kobj). The kobject release callback cpufreq_dbs_data_release() calls gov->exit(dbs_data) and kfree(dbs_data), but the current error path then calls gov->exit(dbs_data) and kfree(dbs_data) again, causing a double free. Keep the direct kfree(dbs_data) for the gov->init() failure path, but after kobject_init_and_add() has been called, let kobject_put() handle the cleanup through cpufreq_dbs_data_release().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-06-01
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-43328
EUVD
EUVD-2026-28612
Affected Vendors & Products
Showing 13 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.22 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.12 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.81 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.134 (exc)
linux linux_kernel From 5.11 (inc) to 6.1.168 (exc)
linux linux_kernel From 5.2 (inc) to 5.10.253 (exc)
linux linux_kernel 5.1.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-415 The product calls free() twice on the same memory address.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a double free error in the Linux kernel's CPU frequency scaling governor code, specifically in the cpufreq_dbs_governor_init() function. When an error occurs during the initialization process (specifically when kobject_init_and_add() fails), the code mistakenly frees the same memory twice. This happens because the cleanup function gov->exit(dbs_data) and the memory free function kfree(dbs_data) are called twice on the same data structure, leading to a double free.

The fix involves adjusting the cleanup process so that after kobject_init_and_add() has been called, the kobject_put() function handles the cleanup through the cpufreq_dbs_data_release() callback, avoiding the second free. For the failure path before kobject_init_and_add(), the direct kfree(dbs_data) is kept.

Impact Analysis

A double free vulnerability can lead to undefined behavior such as memory corruption, system crashes, or potential exploitation by attackers to execute arbitrary code or escalate privileges. In the context of the Linux kernel, this could compromise system stability or security.

Mitigation Strategies

The vulnerability is a double free in the cpufreq_dbs_governor_init() function in the Linux kernel. To mitigate this vulnerability, you should update your Linux kernel to a version where this issue has been fixed.

Specifically, ensure that your kernel includes the fix that changes the error handling path to let kobject_put() handle cleanup after kobject_init_and_add() has been called, preventing the double free.

If updating immediately is not possible, consider avoiding use of the cpufreq_dbs governor or any functionality that triggers cpufreq_dbs_governor_init() until the fix is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43328. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart