CVE-2026-43388
Use-After-Free in Linux Kernel DAMON
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's DAMON subsystem, specifically in the function damos_walk(). The function sets a pointer called walk_control to a caller-provided control structure before checking if the context is active. If the context is inactive, the function returns an error (-EINVAL) but does not clear the walk_control pointer, leaving a dangling pointer to a stack-allocated structure that will be freed when the caller returns.
This dangling pointer can cause two issues: a use-after-free if the context is later started and the pointer is dereferenced, and a permanent -EBUSY error from subsequent calls to damos_walk() because the stale pointer is non-NULL. However, the use-after-free scenario is practically impossible because no callers start the context later, and the -EBUSY error only persists while the context is off.
The vulnerability was fixed by clearing the walk_control pointer before returning the error, preventing the dangling pointer issue.
How can this vulnerability impact me? :
The real user impact of this vulnerability is quite limited. The use-after-free condition is effectively impossible in practice because no callers restart the context after it becomes inactive.
The main impact is that subsequent calls to damos_walk() may return a permanent -EBUSY error, which can confuse users by indicating that DAMON is busy even when it is not running. This symptom only occurs while the context is turned off, and turning the context back on resets the internal state, resolving the issue.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed by clearing the ctx->walk_control pointer under walk_control_lock before returning an error in damos_walk().
To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.
Additionally, if you encounter the symptom of permanent -EBUSY errors from damos_walk() calls while the context is inactive, turning the DAMON context on again will reset the internal damon_ctx object and clear the invalid pointer, restoring normal operation.