Description
In the Linux kernel, the following vulnerability has been resolved:

mm/damon/stat: deallocate damon_call() failure leaking damon_ctx

damon_stat_start() always allocates the module's damon_ctx object
(damon_stat_context). Meanwhile, if damon_call() in the function fails,
the damon_ctx object is not deallocated. Hence, if the damon_call() is
failed, and the user writes Y to “enabled” again, the previously
allocated damon_ctx object is leaked.

This cannot simply be fixed by deallocating the damon_ctx object when
damon_call() fails. That's because damon_call() failure doesn't guarantee
the kdamond main function, which accesses the damon_ctx object, is
completely finished. In other words, if damon_stat_start() deallocates
the damon_ctx object after damon_call() failure, the not-yet-terminated
kdamond could access the freed memory (use-after-free).

Fix the leak while avoiding the use-after-free by keeping returning
damon_stat_start() without deallocating the damon_ctx object after
damon_call() failure, but deallocating it when the function is invoked
again and the kdamond is completely terminated. If the kdamond is not yet
terminated, simply return -EAGAIN, as the kdamond will soon be terminated.

The issue was discovered [1] by sashiko.
Published: 2026-04-24
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Use-after-Free
Action: Immediate Patch
AI Analysis

Impact

The Linux kernel contains a flaw in mm/damon/stat where the damon_ctx object allocated by damon_stat_start() is not properly freed when damon_call() fails. This oversight allows the context to leak memory after the user re‑enables the feature, and if the object were to be freed prematurely the kdamond process could later access the freed memory leading to a use‑after‑free condition. The consequence is a kernel memory leak that can culminate in kernel instability or a local denial of service if the attacker can repeatedly allocate and fail to trigger the cleaner. The weakness is classified as CWE‑416 (Use‑After‑Free) and CWE‑772 (resource leak).

Affected Systems

This issue affects the Linux kernel in releases 6.17 and all 7.0 release candidates (rc1 through rc7). It is therefore relevant to any distribution that ships one of these kernel versions or later until the vendor applies the fix.

Risk and Exploitability

The CVSS score of 7.8 reflects moderate to high severity, while the EPSS score of less than 1% indicates that exploitation is unlikely to be observed in the wild but is still possible. The vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploits. The likely attack vector is local; an attacker with kernel‑level privileges can cause the allocation and subsequent failure to trigger the memory leak or potential use‑after‑free, leading to a denial of service or further kernel compromise if combined with other local vulnerabilities.

Generated by OpenCVE AI on April 28, 2026 at 13:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that contains the fix for the damon_ctx deallocation issue, such as any release newer than Linux kernel 6.17 or post‑7.0 RC5. Reboot the system after applying the updated kernel to ensure the patched code is loaded. If an immediate kernel upgrade is not feasible, disable or remove the kdamond subsystem (or the feature that enables damon_stat_start) until a patch is available to prevent the allocation path from being exercised.

Generated by OpenCVE AI on April 28, 2026 at 13:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:6.17:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mm/damon/stat: deallocate damon_call() failure leaking damon_ctx damon_stat_start() always allocates the module's damon_ctx object (damon_stat_context). Meanwhile, if damon_call() in the function fails, the damon_ctx object is not deallocated. Hence, if the damon_call() is failed, and the user writes Y to “enabled” again, the previously allocated damon_ctx object is leaked. This cannot simply be fixed by deallocating the damon_ctx object when damon_call() fails. That's because damon_call() failure doesn't guarantee the kdamond main function, which accesses the damon_ctx object, is completely finished. In other words, if damon_stat_start() deallocates the damon_ctx object after damon_call() failure, the not-yet-terminated kdamond could access the freed memory (use-after-free). Fix the leak while avoiding the use-after-free by keeping returning damon_stat_start() without deallocating the damon_ctx object after damon_call() failure, but deallocating it when the function is invoked again and the kdamond is completely terminated. If the kdamond is not yet terminated, simply return -EAGAIN, as the kdamond will soon be terminated. The issue was discovered [1] by sashiko.
Title mm/damon/stat: deallocate damon_call() failure leaking damon_ctx
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:12:57.491Z

Reserved: 2026-03-09T15:48:24.128Z

Link: CVE-2026-31652

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T15:16:44.697

Modified: 2026-04-27T20:16:12.663

Link: CVE-2026-31652

cve-icon Redhat

Severity :

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31652 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:00:16Z

Weaknesses