CVE-2026-46308
Received Received - Intake

Use-After-Free in Linux Kernel MTK Power Domain Driver

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: pmdomain: mediatek: fix use-after-free in scpsys_get_bus_protection_legacy() In scpsys_get_bus_protection_legacy(), of_find_node_with_property() returns a device node with its reference count incremented. The function then calls of_node_put(node) before checking whether syscon_regmap_lookup_by_phandle() returns an error. If an error occurs, dev_err_probe() dereferences the node pointer to print diagnostic information, but the node memory may have already been freed due to the earlier of_node_put(), leading to a use-after-free vulnerability. Fix this by moving the of_node_put() call after the error check, ensuring the node is still valid when accessed in the error path.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-29
AI Q&A
2026-06-08
EPSS Evaluated
2026-06-27
NVD
CVE-2026-46308
EUVD
EUVD-2026-35173

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
mediatek linux_kernel *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability is a use-after-free issue in the Linux kernel's mediatek pmdomain driver. It can lead to the kernel dereferencing freed memory, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges if exploited.

Executive Summary

This vulnerability is a use-after-free issue in the Linux kernel's mediatek pmdomain component, specifically in the function scpsys_get_bus_protection_legacy().

The problem occurs because the function of_find_node_with_property() returns a device node with its reference count incremented, but the code calls of_node_put(node) too early, before checking if syscon_regmap_lookup_by_phandle() returns an error.

If an error occurs, the code attempts to dereference the node pointer to print diagnostic information using dev_err_probe(), but since the node memory may have already been freed due to the earlier of_node_put() call, this leads to a use-after-free vulnerability.

The fix involves moving the of_node_put() call after the error check to ensure the node is still valid when accessed in the error path.

Mitigation Strategies

To mitigate this vulnerability, update the Linux kernel to a version where the issue in scpsys_get_bus_protection_legacy() has been fixed. The fix involves moving the of_node_put() call after the error check to prevent use-after-free.

Until the kernel is updated, avoid running untrusted code that could trigger this vulnerability and monitor for any suspicious behavior related to device node handling in the mediatek platform.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46308. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart