CVE-2026-43388 - Vulnerability Details

- mm/damon/core: clear walk_control on inactive context in damos_walk()

Description

In the Linux kernel, the following vulnerability has been resolved:

mm/damon/core: clear walk_control on inactive context in damos_walk()

damos_walk() sets ctx->walk_control to the caller-provided control
structure before checking whether the context is running. If the context
is inactive (damon_is_running() returns false), the function returns
-EINVAL without clearing ctx->walk_control. This leaves a dangling
pointer to a stack-allocated structure that will be freed when the caller
returns.

This is structurally identical to the bug fixed in commit f9132fbc2e83
("mm/damon/core: remove call_control in inactive contexts") for
damon_call(), which had the same pattern of linking a control object and
returning an error without unlinking it.

The dangling walk_control pointer can cause:
1. Use-after-free if the context is later started and kdamond
dereferences ctx->walk_control (e.g., in damos_walk_cancel()
which writes to control->canceled and calls complete())
2. Permanent -EBUSY from subsequent damos_walk() calls, since the
stale pointer is non-NULL

Nonetheless, the real user impact is quite restrictive. The
use-after-free is impossible because there is no damos_walk() callers who
starts the context later. The permanent -EBUSY can actually confuse
users, as DAMON is not running. But the symptom is kept only while the
context is turned off. Turning it on again will make DAMON internally
uses a newly generated damon_ctx object that doesn't have the invalid
damos_walk_control pointer, so everything will work fine again.

Fix this by clearing ctx->walk_control under walk_control_lock before
returning -EINVAL, mirroring the fix pattern from f9132fbc2e83.

Published: 2026-05-08

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The kernel function damos_walk() assigns a control structure to ctx->walk_control before verifying that the context is running. If the context is inactive, the function returns -EINVAL without clearing ctx->walk_control, leaving a dangling pointer to a stack‑allocated structure that will be freed when the caller returns. A stale walk_control pointer can lead to a use‑after‑free if the context is later started and the kernel dereferences the pointer during operations such as damos_walk_cancel(). Although the description notes that no callers start the context after the error, the flaw could still produce an erroneous EBUSY status when subsequent damos_walk() calls are made, as the stale pointer remains non‑NULL. Because the backing structure is on the stack, the actual damage is limited to the DAMON subsystem, but users may encounter confusing error codes while DAMON remains stopped.

Affected Systems

The vulnerability occurs in the Linux kernel’s DAMON subsystem (dvfs/damon). All active Linux kernel releases that include DAMON – regardless of version number – are potentially affected. No specific vendor versions are listed, so the issue applies to any kernel build that has not yet incorporated the fix. Users running a kernel without the patch that clears ctx->walk_control before returning an error are at risk.

Risk and Exploitability

The exploitability of this flaw is low. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, indicating that no widespread or automated exploitation is currently known. Because the use‑after‑free scenario relies on a context that later becomes active after the error, and because DAMON is only used when explicitly started, an attacker would need privileged access to influence DAMON operation. The resulting error leaves DAMON unusable until it is restarted, which is a disruption rather than a traditional security breach. Overall, the risk can be considered moderate, with limited potential impact confined to DAMON service availability.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61`	affected	< ce0aa47c963b8c3e5beace89e2b5a665a64b5b6b
`bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61`	affected	< 9320c77134ab8d7701e20608bbf08517df4fa321
`bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61`	affected	< d210fdcac9c0d1380eab448aebc93f602c1cd4e6

Linux

affected

Version	Status	Constraints
`6.14`	affected	—
`0`	unaffected	< 6.14
`6.18.19`	unaffected	≤ 6.18.*
`6.19.9`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61, ce0aa47c963b8c3e5beace89e2b5a665a64b5b6b)`	affected	code_commit	—
`[bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61, 9320c77134ab8d7701e20608bbf08517df4fa321)`	affected	code_commit	—
`[bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61, d210fdcac9c0d1380eab448aebc93f602c1cd4e6)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.14`	affected	calver	—
`[0,6.14)`	unaffected	semver	—
`[6.18.19,6.18.*]`	unaffected	generic	—
`[6.19.9,6.19.*]`	unaffected	generic	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a patched release that clears ctx->walk_control before returning -EINVAL
If immediate upgrade is not possible, restart DAMON after each error to reset contexts and clear stale pointers
Monitor system logs for repeated EBUSY errors from DAMON; if observed, consider disabling DAMON until the patch is applied

Generated by OpenCVE AI on May 9, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/9320c77134ab8d7701e20608bbf08517df4fa321
https://git.kernel.org/stable/c/ce0aa47c963b8c3e5beace89e2b5a665a64b5b6b
https://git.kernel.org/stable/c/d210fdcac9c0d1380eab448aebc93f602c1cd4e6
https://lore.kernel.org/linux-cve-announce/2026050835-CVE-2026-43388-fa28@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43388
https://www.cve.org/CVERecord?id=CVE-2026-43388

History

Sat, 09 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-825
References		https://lore.kernel.org/linux-cve-announce/2026050835-CVE-2026-43388-fa28@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43388 https://www.cve.org/CVERecord?id=CVE-2026-43388

Fri, 08 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: clear walk_control on inactive context in damos_walk() damos_walk() sets ctx->walk_control to the caller-provided control structure before checking whether the context is running. If the context is inactive (damon_is_running() returns false), the function returns -EINVAL without clearing ctx->walk_control. This leaves a dangling pointer to a stack-allocated structure that will be freed when the caller returns. This is structurally identical to the bug fixed in commit f9132fbc2e83 ("mm/damon/core: remove call_control in inactive contexts") for damon_call(), which had the same pattern of linking a control object and returning an error without unlinking it. The dangling walk_control pointer can cause: 1. Use-after-free if the context is later started and kdamond dereferences ctx->walk_control (e.g., in damos_walk_cancel() which writes to control->canceled and calls complete()) 2. Permanent -EBUSY from subsequent damos_walk() calls, since the stale pointer is non-NULL Nonetheless, the real user impact is quite restrictive. The use-after-free is impossible because there is no damos_walk() callers who starts the context later. The permanent -EBUSY can actually confuse users, as DAMON is not running. But the symptom is kept only while the context is turned off. Turning it on again will make DAMON internally uses a newly generated damon_ctx object that doesn't have the invalid damos_walk_control pointer, so everything will work fine again. Fix this by clearing ctx->walk_control under walk_control_lock before returning -EINVAL, mirroring the fix pattern from f9132fbc2e83.
Title		mm/damon/core: clear walk_control on inactive context in damos_walk()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/9320c77134ab8d7701e20608bbf08517df4fa321 https://git.kernel.org/stable/c/ce0aa47c963b8c3e5beace89e2b5a665a64b5b6b https://git.kernel.org/stable/c/d210fdcac9c0d1380eab448aebc93f602c1cd4e6

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T14:21:33.966Z

Updated: 2026-05-08T14:21:33.966Z

Reserved: 2026-05-01T14:12:56.006Z

Link: CVE-2026-43388

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T15:16:50.180

Modified: 2026-05-08T15:16:50.180

Link: CVE-2026-43388

Redhat

Severity :

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43388 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-09T02:30:16Z

Weaknesses

CWE-825

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object