Description
In the Linux kernel, the following vulnerability has been resolved:

mm/damon/core: remove call_control in inactive contexts

If damon_call() is executed against a DAMON context that is not running,
the function returns error while keeping the damon_call_control object
linked to the context's call_controls list. Let's suppose the object is
deallocated after the damon_call(), and yet another damon_call() is
executed against the same context. The function tries to add the new
damon_call_control object to the call_controls list, which still has the
pointer to the previous damon_call_control object, which is deallocated.
As a result, use-after-free happens.

This can actually be triggered using the DAMON sysfs interface. It is not
easily exploitable since it requires the sysfs write permission and making
a definitely weird file writes, though. Please refer to the report for
more details about the issue reproduction steps.

Fix the issue by making two changes. Firstly, move the final
kdamond_call() for cancelling all existing damon_call() requests from
terminating DAMON context to be done before the ctx->kdamond reset. This
makes any code that sees NULL ctx->kdamond can safely assume the context
may not access damon_call() requests anymore. Secondly, let damon_call()
to cleanup the damon_call_control objects that were added to the
already-terminated DAMON context, before returning the error.
Published: 2026-01-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Use-after-free (memory corruption)
Action: Apply Patch
AI Analysis

Impact

In the DAMON subsystem of the Linux kernel, executing damon_call() against a context that has ceased operation leaves a dangling call_control pointer in the context’s call_controls list. Subsequent invocations of damon_call() reuse this stale pointer, resulting in a use‑after‑free that can corrupt kernel memory. The primary effect is memory corruption that, if an attacker can trigger it, may allow them to crash the kernel or potentially gain arbitrary code execution, depending on the surrounding memory state. This is a classic use‑after‑free weakness (CWE‑416).

Affected Systems

The flaw affects the Linux kernel, specifically versions where the DAMON subsystem had not incorporated the fix—this includes kernel 6.17 and all 6.19 release‑candidate releases from rc1 through rc8. Systems running those kernels with the DAMON sysfs interface enabled are vulnerable. The impacted product line is Linux:Linux, as listed by the CNA, with CPE references covering linux_kernel 6.17 and 6.19 rc1–rc8.

Risk and Exploitability

The advisory lists a CVSS base score of 7.8, indicating high severity, while the EPSS score is under 1 %, suggesting a low probability that the flaw has already been exploited. The vulnerability is not present in CISA's KEV catalog. Exploitation requires write access to the DAMON sysfs interface and the ability to perform a specific, non‑trivial sequence of file writes; it is not trivially exploitable by ordinary unprivileged users. Consequently, the overall risk is moderate, rising only if sysfs write permissions are broadly available or if the attacker can achieve elevated privileges to manipulate the DAMON interface.

Generated by OpenCVE AI on April 18, 2026 at 02:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Linux kernel version that includes the DAMON call_control cleanup fix, such as kernel 6.19 or later, to eliminate the use‑after‑free vulnerability.
  • If an upgrade is not immediately possible, restrict or disable write access to the DAMON sysfs interface so that only privileged users can invoke damon_call(), reducing the window for exploitation.
  • Audit sysfs permissions regularly and monitor for anomalous damon_call attempts; consider disabling the DAMON feature on systems that do not require it.

Generated by OpenCVE AI on April 18, 2026 at 02:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:6.17:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 26 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References

Sun, 25 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: remove call_control in inactive contexts If damon_call() is executed against a DAMON context that is not running, the function returns error while keeping the damon_call_control object linked to the context's call_controls list. Let's suppose the object is deallocated after the damon_call(), and yet another damon_call() is executed against the same context. The function tries to add the new damon_call_control object to the call_controls list, which still has the pointer to the previous damon_call_control object, which is deallocated. As a result, use-after-free happens. This can actually be triggered using the DAMON sysfs interface. It is not easily exploitable since it requires the sysfs write permission and making a definitely weird file writes, though. Please refer to the report for more details about the issue reproduction steps. Fix the issue by making two changes. Firstly, move the final kdamond_call() for cancelling all existing damon_call() requests from terminating DAMON context to be done before the ctx->kdamond reset. This makes any code that sees NULL ctx->kdamond can safely assume the context may not access damon_call() requests anymore. Secondly, let damon_call() to cleanup the damon_call_control objects that were added to the already-terminated DAMON context, before returning the error.
Title mm/damon/core: remove call_control in inactive contexts
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-09T08:37:05.502Z

Reserved: 2026-01-13T15:37:45.940Z

Link: CVE-2026-23012

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-01-25T15:15:56.073

Modified: 2026-03-25T19:49:02.980

Link: CVE-2026-23012

cve-icon Redhat

Severity :

Publid Date: 2026-01-25T00:00:00Z

Links: CVE-2026-23012 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:00:10Z

Weaknesses