CVE-2026-46280
Received Received - Intake
Use-After-Free in Linux Kernel HMM Test

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: lib: test_hmm: evict device pages on file close to avoid use-after-free Patch series "Minor hmm_test fixes and cleanups". Two bugfixes a cleanup for the HMM kernel selftests. These were mostly reported by Zenghui Yu with special thanks to Lorenzo for analysing and pointing out the problems. This patch (of 3): When dmirror_fops_release() is called it frees the dmirror struct but doesn't migrate device private pages back to system memory first. This leaves those pages with a dangling zone_device_data pointer to the freed dmirror. If a subsequent fault occurs on those pages (eg. during coredump) the dmirror_devmem_fault() callback dereferences the stale pointer causing a kernel panic. This was reported [1] when running mm/ksft_hmm.sh on arm64, where a test failure triggered SIGABRT and the resulting coredump walked the VMAs faulting in the stale device private pages. Fix this by calling dmirror_device_evict_chunk() for each devmem chunk in dmirror_fops_release() to migrate all device private pages back to system memory before freeing the dmirror struct. The function is moved earlier in the file to avoid a forward declaration.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-09
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-46280
EUVD
EUVD-2026-35145
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's HMM (Heterogeneous Memory Management) selftests, specifically in the test_hmm component. When the dmirror_fops_release() function is called, it frees a data structure called dmirror without first migrating device private pages back to system memory. This leaves those pages with a dangling pointer to freed memory. If a subsequent fault occurs on these pages, such as during a coredump, the kernel attempts to access this stale pointer, causing a kernel panic.

The issue was identified during testing on arm64 architecture, where a test failure triggered a signal abort (SIGABRT) and the coredump process faulted on these stale device private pages, leading to a crash.

The fix involves migrating all device private pages back to system memory before freeing the dmirror struct, preventing the use-after-free condition.

Impact Analysis

This vulnerability can cause a kernel panic, which is a critical system crash in the Linux kernel. Such crashes can lead to system instability, unexpected reboots, or downtime.

In environments where the Linux kernel is used, especially on arm64 architectures or where HMM selftests are run, this could interrupt normal operations and potentially cause data loss or service disruption.

Mitigation Strategies

The vulnerability is fixed by a patch that ensures device private pages are migrated back to system memory before freeing the related structures, preventing use-after-free and kernel panic.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes the patch series "Minor hmm_test fixes and cleanups" which addresses this issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46280. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart