CVE-2026-45989 - Vulnerability Details

- of: unittest: fix use-after-free in testdrv_probe()

Description

In the Linux kernel, the following vulnerability has been resolved:

of: unittest: fix use-after-free in testdrv_probe()

The function testdrv_probe() retrieves the device_node from the PCI
device, applies an overlay, and then immediately calls of_node_put(dn).
This releases the reference held by the PCI core, potentially freeing
the node if the reference count drops to zero. Later, the same freed
pointer 'dn' is passed to of_platform_default_populate(), leading to a
use-after-free.

The reference to pdev->dev.of_node is owned by the device model and
should not be released by the driver. Remove the erroneous of_node_put()
to prevent premature freeing.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability involves a use-after-free in the Linux kernel PCI device driver function testdrv_probe(). A reference to the OpenFirmware device node is prematurely released, freeing memory that is later accessed by of_platform_default_populate(). This flaw can corrupt memory, potentially allowing an attacker to corrupt kernel data structures, crash the system, or execute arbitrary code with kernel privileges.

Affected Systems

The affected product is the Linux kernel. No specific version range is provided in the advisory; the fix was applied in kernel commits starting with 07fd339b2c253205794bea5d9b4b7548a4546c56 and later. Linux, as the vendor, is the only identified product.

Risk and Exploitability

Exploitability is not quantified with an EPSS score and the vulnerability is not listed in the CISA KEV catalog. However, use-after-free flaws are generally high severity when an attacker can load the vulnerable driver or otherwise influence its execution. The lack of a CVSS score prevents precise quantification, but the nature of the flaw indicates a potentially high impact if exploited. Based on the description, it is inferred that an attacker would need local or elevated access to load the driver, after which the freed reference could lead to memory corruption or denial of service. The likely attack path is to trigger the driver via a device that uses testdrv, unless mitigated by disabling the driver or updating the kernel.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`26409dd045892904b059dc411403e9c8ce7543ca`	affected	< 0ba03e06f037df704d9b032e36d417633e2326bc
`26409dd045892904b059dc411403e9c8ce7543ca`	affected	< d68347b07b9801791c9eaab8f772770b52b8cd5c
`26409dd045892904b059dc411403e9c8ce7543ca`	affected	< 5b6122a67a295f8a08b7c18d908a1bd974dfaec8
`26409dd045892904b059dc411403e9c8ce7543ca`	affected	< 6b2023286d2c6ed3bf964fb92e34c9c14d42eb69
`26409dd045892904b059dc411403e9c8ce7543ca`	affected	< 07fd339b2c253205794bea5d9b4b7548a4546c56

Linux

affected

Version	Status	Constraints
`6.6`	affected	—
`0`	unaffected	< 6.6
`6.6.140`	unaffected	≤ 6.6.*
`6.12.86`	unaffected	≤ 6.12.*
`6.18.27`	unaffected	≤ 6.18.*
`7.0.4`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[26409dd045892904b059dc411403e9c8ce7543ca,0ba03e06f037df704d9b032e36d417633e2326bc)`	affected	code_commit	—
`[26409dd045892904b059dc411403e9c8ce7543ca,d68347b07b9801791c9eaab8f772770b52b8cd5c)`	affected	code_commit	—
`[26409dd045892904b059dc411403e9c8ce7543ca,5b6122a67a295f8a08b7c18d908a1bd974dfaec8)`	affected	code_commit	—
`[26409dd045892904b059dc411403e9c8ce7543ca,6b2023286d2c6ed3bf964fb92e34c9c14d42eb69)`	affected	code_commit	—
`[26409dd045892904b059dc411403e9c8ce7543ca,07fd339b2c253205794bea5d9b4b7548a4546c56)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.6`	affected	generic	—
`[0,6.6)`	unaffected	generic	—
`[6.6.140,7.0.0)`	unaffected	semver	—
`[6.12.86,6.13.0)`	unaffected	semver	—
`[6.18.27,6.19.0)`	unaffected	semver	—
`[7.0.4,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a Linux kernel update that contains the commit 07fd339b2c253205794bea5d9b4b7548a4546c56 or later to remove the erroneous of_node_put call.
If a kernel upgrade is not immediately possible, prevent the vulnerable driver from loading by disabling or removing the testdrv module from the system using modprobe --disable or editing /etc/modprobe.d to blacklist it.
After disabling the module, monitor system logs for unexpected driver load attempts and verify that the driver is no longer present in the module list. If the system must run the driver, consider restricting its usage to trusted contexts and monitor for any memory corruption signs.

Generated by OpenCVE AI on May 27, 2026 at 18:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/07fd339b2c253205794bea5d9b4b7548a4546c56
https://git.kernel.org/stable/c/0ba03e06f037df704d9b032e36d417633e2326bc
https://git.kernel.org/stable/c/5b6122a67a295f8a08b7c18d908a1bd974dfaec8
https://git.kernel.org/stable/c/6b2023286d2c6ed3bf964fb92e34c9c14d42eb69
https://git.kernel.org/stable/c/d68347b07b9801791c9eaab8f772770b52b8cd5c

History

Wed, 27 May 2026 19:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: of: unittest: fix use-after-free in testdrv_probe() The function testdrv_probe() retrieves the device_node from the PCI device, applies an overlay, and then immediately calls of_node_put(dn). This releases the reference held by the PCI core, potentially freeing the node if the reference count drops to zero. Later, the same freed pointer 'dn' is passed to of_platform_default_populate(), leading to a use-after-free. The reference to pdev->dev.of_node is owned by the device model and should not be released by the driver. Remove the erroneous of_node_put() to prevent premature freeing.
Title		of: unittest: fix use-after-free in testdrv_probe()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/07fd339b2c253205794bea5d9b4b7548a4546c56 https://git.kernel.org/stable/c/0ba03e06f037df704d9b032e36d417633e2326bc https://git.kernel.org/stable/c/5b6122a67a295f8a08b7c18d908a1bd974dfaec8 https://git.kernel.org/stable/c/6b2023286d2c6ed3bf964fb92e34c9c14d42eb69 https://git.kernel.org/stable/c/d68347b07b9801791c9eaab8f772770b52b8cd5c

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:55:41.276Z

Updated: 2026-05-27T12:55:41.276Z

Reserved: 2026-05-13T15:03:33.091Z

Link: CVE-2026-45989

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:16.413

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-45989

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T21:30:34Z

Weaknesses

CWE-416

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object