CVE-2026-46285
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
mtd: docg3: fix use-after-free in docg3_release()
In docg3_release(), the docg3 pointer is obtained from cascade->floors[0]->priv before the loop that calls doc_release_device() on each floor. doc_release_device() frees the docg3 struct via kfree(docg3) at line 1881. After the loop, docg3->cascade->bch dereferences the already-freed pointer.
Fix this by accessing cascade->bch directly, which is equivalent since docg3->cascade points back to the same cascade struct, and is already available as a local variable. This also removes the now-unused docg3 local variable.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | c8ae3f744ddca0da164bcacee42d1d4b6fe7027d < 8408655ec8344511667b61d8257dc59c80ee3391 | affected |
| Linux | Linux | c8ae3f744ddca0da164bcacee42d1d4b6fe7027d < f5d2ed4ed47d3906e2495a3537a48b127f497a17 | affected |
| Linux | Linux | c8ae3f744ddca0da164bcacee42d1d4b6fe7027d < 2bf706fe7831b319f23a85b9728f961cfed40c3e | affected |
| Linux | Linux | c8ae3f744ddca0da164bcacee42d1d4b6fe7027d < d26f8c361f751c188b7ebaf8189aa0258968fd98 | affected |
| Linux | Linux | c8ae3f744ddca0da164bcacee42d1d4b6fe7027d < 16f6588a3b7a2a20d10ad9b766be74c60ba347cc | affected |
| Linux | Linux | c8ae3f744ddca0da164bcacee42d1d4b6fe7027d < d89044889ecd11b0c2f86663597246e9bdd25679 | affected |
| Linux | Linux | c8ae3f744ddca0da164bcacee42d1d4b6fe7027d < d49628d63d4e6bbc8a1621afb88e5fc901611bee | affected |
| Linux | Linux | c8ae3f744ddca0da164bcacee42d1d4b6fe7027d < ca19808bc6fac7e29420d8508df569b346b3e339 | affected |
| Linux | Linux | 5.8 | affected |
| Linux | Linux | 0 < 5.8 | unaffected |
| Linux | Linux | 5.10.258 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.209 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.175 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.140 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.86 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.27 <= 6.18.* | unaffected |
| Linux | Linux | 7.0.4 <= 7.0.* | unaffected |
| Linux | Linux | 7.1 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/8408655ec8344511667b61d8257dc59c80ee3391
- https://git.kernel.org/stable/c/f5d2ed4ed47d3906e2495a3537a48b127f497a17
- https://git.kernel.org/stable/c/2bf706fe7831b319f23a85b9728f961cfed40c3e
- https://git.kernel.org/stable/c/d26f8c361f751c188b7ebaf8189aa0258968fd98
- https://git.kernel.org/stable/c/16f6588a3b7a2a20d10ad9b766be74c60ba347cc
- https://git.kernel.org/stable/c/d89044889ecd11b0c2f86663597246e9bdd25679
- https://git.kernel.org/stable/c/d49628d63d4e6bbc8a1621afb88e5fc901611bee
- https://git.kernel.org/stable/c/ca19808bc6fac7e29420d8508df569b346b3e339
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.