Description
In the Linux kernel, the following vulnerability has been resolved:

cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path

When kobject_init_and_add() fails, cpufreq_dbs_governor_init() calls
kobject_put(&dbs_data->attr_set.kobj).

The kobject release callback cpufreq_dbs_data_release() calls
gov->exit(dbs_data) and kfree(dbs_data), but the current error path
then calls gov->exit(dbs_data) and kfree(dbs_data) again, causing a
double free.

Keep the direct kfree(dbs_data) for the gov->init() failure path, but
after kobject_init_and_add() has been called, let kobject_put() handle
the cleanup through cpufreq_dbs_data_release().
Published: 2026-05-08
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel's cpufreq module has a double free bug in the error handling of the cpufreq_dbs_governor_init() function. When the kobject initialization fails, the code frees the allocated governor data twice: once explicitly and again via the kobject's release callback. This can corrupt heap metadata and may allow an attacker with kernel privileges to manipulate memory, potentially leading to arbitrary code execution or system instability, though the description does not guarantee an exploitable code path.

Affected Systems

All Linux kernel deployments that enable CPU frequency governor daemons. The issue applies to any kernel build before the patch that removes the double free in cpufreq_dbs_governor_init(). Users should verify whether their kernel includes the fix present in the referenced Git commits.

Risk and Exploitability

The CVSS score of 7.8 and an EPSS score of < 1% indicate a high‑to‑moderate severity with a low probability of exploitation. The vulnerability is not listed in CISA's KEV catalog, indicating no known widespread exploitation. The flaw requires the attacker to trigger the governor initialization failure path, which typically involves loading a kernel module or restarting a service that invokes the governor. These prerequisites limit the likelihood of successful exploitation but do not eliminate it entirely. The attack vector is inferred to be the failure path of the governor's kobject initialization, which demands privileged actions.

Generated by OpenCVE AI on May 18, 2026 at 13:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest kernel update that includes the cpufreq double‑free fix.
  • If an immediate kernel upgrade is not feasible, manually cherry‑pick the relevant Git commits into your kernel tree and rebuild the kernel to incorporate the patch.
  • As a temporary mitigation, disable the CPU frequency governor feature or set it to a safe governor such as "userspace" to avoid the execution path that contains the double free logic.

Generated by OpenCVE AI on May 18, 2026 at 13:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4606-1 linux security update
History

Mon, 18 May 2026 12:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:linux:linux_kernel:5.1.6:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 16 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-763
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 08 May 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415

Fri, 08 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path When kobject_init_and_add() fails, cpufreq_dbs_governor_init() calls kobject_put(&dbs_data->attr_set.kobj). The kobject release callback cpufreq_dbs_data_release() calls gov->exit(dbs_data) and kfree(dbs_data), but the current error path then calls gov->exit(dbs_data) and kfree(dbs_data) again, causing a double free. Keep the direct kfree(dbs_data) for the gov->init() failure path, but after kobject_init_and_add() has been called, let kobject_put() handle the cleanup through cpufreq_dbs_data_release().
Title cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-23T16:06:43.531Z

Reserved: 2026-05-01T14:12:56.002Z

Link: CVE-2026-43328

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T14:16:42.397

Modified: 2026-05-18T12:43:45.277

Link: CVE-2026-43328

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43328 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T14:00:19Z

Weaknesses