CVE-2026-46183
Awaiting Analysis Awaiting Analysis - Queue
Use-After-Free in Linux Kernel DAMON Sysfs

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock damon_sysfs_quot_goal->path can be read and written by users, via DAMON sysfs 'path' file. It can also be indirectly read, for the parameters {on,off}line committing to DAMON. The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read. But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the path-pointing buffer. As a result, the readers could read the already freed buffer (user-after-free). Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking. Nonetheless, doing the reads and writes with separate open files would be common. Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-05-28
AI Q&A
2026-05-28
EPSS Evaluated
N/A
NVD
CVE-2026-46183
EUVD
EUVD-2026-32810
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's DAMON subsystem, specifically in the handling of the 'path' parameter in sysfs-schemes. The 'path' can be read and written by users via the DAMON sysfs 'path' file. While some parameter reads are protected by a lock (damon_sysfs_lock) to prevent the sysfs files from being destroyed during access, the direct user-driven reads and writes to 'path' are not protected by any lock.

Because the write operation deallocates the buffer that the 'path' points to without locking, readers can end up reading from a buffer that has already been freed, leading to a use-after-free condition. This can happen especially when reads and writes are done through separate open files, which is common.

The fix involved protecting both the user-direct reads and writes with the damon_sysfs_lock to prevent this race condition and use-after-free scenario.


How can this vulnerability impact me? :

This vulnerability can lead to a use-after-free condition in the Linux kernel, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges by exploiting the freed memory.

Since the vulnerability involves user-controlled reads and writes to kernel memory without proper locking, it could be leveraged by a local attacker to compromise the integrity or availability of the system.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability involves unprotected reads and writes to the DAMON sysfs 'path' file in the Linux kernel, which can lead to use-after-free conditions.

To mitigate this vulnerability, you should update your Linux kernel to a version where the issue is fixed by protecting both user-direct reads and writes with damon_sysfs_lock.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart