CVE-2026-43328 - Vulnerability Details

- cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path

Description

In the Linux kernel, the following vulnerability has been resolved:

cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path

When kobject_init_and_add() fails, cpufreq_dbs_governor_init() calls
kobject_put(&dbs_data->attr_set.kobj).

The kobject release callback cpufreq_dbs_data_release() calls
gov->exit(dbs_data) and kfree(dbs_data), but the current error path
then calls gov->exit(dbs_data) and kfree(dbs_data) again, causing a
double free.

Keep the direct kfree(dbs_data) for the gov->init() failure path, but
after kobject_init_and_add() has been called, let kobject_put() handle
the cleanup through cpufreq_dbs_data_release().

Published: 2026-05-08

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel's cpufreq module has a double free bug in the error handling of the cpufreq_dbs_governor_init() function. When the kobject initialization fails, the code frees the allocated governor data twice: once explicitly and again via the kobject's release callback. This can corrupt heap metadata and may allow an attacker with kernel privileges to manipulate memory, potentially leading to arbitrary code execution or system instability, though the description does not guarantee an exploitable code path.

Affected Systems

All Linux kernel deployments that enable CPU frequency governor daemons. The issue applies to any kernel build before the patch that removes the double free in cpufreq_dbs_governor_init(). Users should verify whether their kernel includes the fix present in the referenced Git commits.

Risk and Exploitability

The CVSS score is not provided and the EPSS is unavailable, making the objective risk assessment uncertain. The vulnerability is not listed in CISA's KEV catalog, indicating no known widespread exploitation. The flaw requires the attacker to trigger the governor initialization failure path, which typically involves loading a kernel module or restarting a service that invokes the governor. These prerequisites limit the likelihood of successful exploitation but do not eliminate it entirely. The attack vector is inferred to be the failure path of the governor's kobject initialization, which demands privileged actions.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`4ebe36c94aed95de71a8ce6a6762226d31c938ee`	affected	< 56bc91ee78babe9578585a2bc137abc4b3115ff3
`4ebe36c94aed95de71a8ce6a6762226d31c938ee`	affected	< 019ea28629720c220daedf38107c8787f330dc05
`4ebe36c94aed95de71a8ce6a6762226d31c938ee`	affected	< da39ee627fd82b52068d4d5f115749a8b7d271f9
`4ebe36c94aed95de71a8ce6a6762226d31c938ee`	affected	< 427d048e4f6acbfa01b5a8062449fe0ee8987c0d
`4ebe36c94aed95de71a8ce6a6762226d31c938ee`	affected	< d2703b4f8fb7cc6f0dfdb2dc2359cc46189e7357
`4ebe36c94aed95de71a8ce6a6762226d31c938ee`	affected	< 3bf9d023d2329a0e5379f2fd09d06ef09729cd9d
`4ebe36c94aed95de71a8ce6a6762226d31c938ee`	affected	< 6dcf9d0064ce2f3e3dfe5755f98b93abe6a98e1e
`e977b1477a6725868302957e6b5c330220391797`	affected	—

Linux

affected

Version	Status	Constraints
`5.2`	affected	—
`0`	unaffected	< 5.2
`5.10.253`	unaffected	≤ 5.10.*
`6.1.168`	unaffected	≤ 6.1.*
`6.6.134`	unaffected	≤ 6.6.*
`6.12.81`	unaffected	≤ 6.12.*
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[4ebe36c94aed95de71a8ce6a6762226d31c938ee,56bc91ee78babe9578585a2bc137abc4b3115ff3)`	affected	code_commit	—
`[4ebe36c94aed95de71a8ce6a6762226d31c938ee,019ea28629720c220daedf38107c8787f330dc05)`	affected	code_commit	—
`[4ebe36c94aed95de71a8ce6a6762226d31c938ee,3bf9d023d2329a0e5379f2fd09d06ef09729cd9d)`	affected	code_commit	—
`[4ebe36c94aed95de71a8ce6a6762226d31c938ee,427d048e4f6acbfa01b5a8062449fe0ee8987c0d)`	affected	code_commit	—
`[4ebe36c94aed95de71a8ce6a6762226d31c938ee,d2703b4f8fb7cc6f0dfdb2dc2359cc46189e7357)`	affected	code_commit	—
`[4ebe36c94aed95de71a8ce6a6762226d31c938ee,6dcf9d0064ce2f3e3dfe5755f98b93abe6a98e1e)`	affected	code_commit	—
`[4ebe36c94aed95de71a8ce6a6762226d31c938ee,da39ee627fd82b52068d4d5f115749a8b7d271f9)`	affected	code_commit	—
`e977b1477a6725868302957e6b5c330220391797`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.2`	affected	generic	—
`[0,5.2)`	unaffected	generic	—
`[5.10.253,5.11.0)`	unaffected	semver	—
`[6.1.168,6.2.0)`	unaffected	semver	—
`[6.6.134,6.7.0)`	unaffected	semver	—
`[6.12.81,6.13.0)`	unaffected	semver	—
`[6.18.22,6.19.0)`	unaffected	semver	—
`[6.19.12,7.0.0)`	unaffected	semver	—
`[7.0,*)`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest kernel update that includes the cpufreq double‑free fix.
If an immediate kernel upgrade is not feasible, manually cherry‑pick the relevant Git commits into your kernel tree and rebuild the kernel to incorporate the patch.
As a temporary mitigation, disable the CPU frequency governor feature or set it to a safe governor such as "userspace" to avoid the execution path that contains the double free logic.

Generated by OpenCVE AI on May 8, 2026 at 19:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/019ea28629720c220daedf38107c8787f330dc05
https://git.kernel.org/stable/c/3bf9d023d2329a0e5379f2fd09d06ef09729cd9d
https://git.kernel.org/stable/c/427d048e4f6acbfa01b5a8062449fe0ee8987c0d
https://git.kernel.org/stable/c/56bc91ee78babe9578585a2bc137abc4b3115ff3
https://git.kernel.org/stable/c/6dcf9d0064ce2f3e3dfe5755f98b93abe6a98e1e
https://git.kernel.org/stable/c/d2703b4f8fb7cc6f0dfdb2dc2359cc46189e7357
https://git.kernel.org/stable/c/da39ee627fd82b52068d4d5f115749a8b7d271f9

History

Fri, 08 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-415

Fri, 08 May 2026 14:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path When kobject_init_and_add() fails, cpufreq_dbs_governor_init() calls kobject_put(&dbs_data->attr_set.kobj). The kobject release callback cpufreq_dbs_data_release() calls gov->exit(dbs_data) and kfree(dbs_data), but the current error path then calls gov->exit(dbs_data) and kfree(dbs_data) again, causing a double free. Keep the direct kfree(dbs_data) for the gov->init() failure path, but after kobject_init_and_add() has been called, let kobject_put() handle the cleanup through cpufreq_dbs_data_release().
Title		cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/019ea28629720c220daedf38107c8787f330dc05 https://git.kernel.org/stable/c/3bf9d023d2329a0e5379f2fd09d06ef09729cd9d https://git.kernel.org/stable/c/427d048e4f6acbfa01b5a8062449fe0ee8987c0d https://git.kernel.org/stable/c/56bc91ee78babe9578585a2bc137abc4b3115ff3 https://git.kernel.org/stable/c/6dcf9d0064ce2f3e3dfe5755f98b93abe6a98e1e https://git.kernel.org/stable/c/d2703b4f8fb7cc6f0dfdb2dc2359cc46189e7357 https://git.kernel.org/stable/c/da39ee627fd82b52068d4d5f115749a8b7d271f9

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T13:31:16.787Z

Updated: 2026-05-08T13:31:16.787Z

Reserved: 2026-05-01T14:12:56.002Z

Link: CVE-2026-43328

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T14:16:42.397

Modified: 2026-05-08T14:16:42.397

Link: CVE-2026-43328

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-08T21:30:05Z

Weaknesses

CWE-415

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object