CVE-2026-46097 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

Input: edt-ft5x06 - fix use-after-free in debugfs teardown

The commit 68743c500c6e ("Input: edt-ft5x06 - use per-client debugfs
directory") removed the manual debugfs teardown, relying on the I2C core
to handle it. However, this creates a window where debugfs files are
still accessible after edt_ft5x06_ts_teardown_debugfs() frees
tsdata->raw_buffer.

To prevent a use-after-free, protect the freeing of raw_buffer with the
device mutex and set raw_buffer to NULL. The debugfs read function
already checks if raw_buffer is NULL under the same mutex, so this
safely avoids the use-after-free.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A use-after-free flaw exists in the Linux kernel’s edt-ft5x06 driver when debugging file system entries are torn down; the debugfs teardown frees a raw buffer but leaves the file system entry still accessible, allowing a read operation to access freed memory. This memory corruption can lead to system instability, data corruption, or other denial-of-service effects. The weakness is a classic use-after-free (CWE‑416).

Affected Systems

The vulnerability affects the Linux kernel; no specific kernel version is listed in the advisory, so all kernel builds that include the edt-ft5x06 driver and have not yet been patched are potentially affected. The vendor/product is simply Linux/Linux as per the CNA information.

Risk and Exploitability

The EPSS score is not available and the issue is not listed in the CISA KEV catalog, indicating no known active exploitation at the time of disclosure. The CVSS score is not provided in the metadata, but a use‑after‑free in kernel code generally carries high impact. The likely attack vector is local, requiring access to the device or the ability to trigger the debugfs teardown. Conditions for exploitation include the kernel loading the edt-ft5x06 driver and the presence of exposed debugfs entries. Because the flaw is limited to memory corruption, it typically requires privileged context or sufficient control over the device to trigger the vulnerable path.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`68743c500c6eafcd0b16dc6067fea5bca0795eef`	affected	< a516d43886623e3cca5fa3446bed8fc7c7982be2
`68743c500c6eafcd0b16dc6067fea5bca0795eef`	affected	< 9f6c5e7b747d40e1c65cbfcb975857d25154c075
`68743c500c6eafcd0b16dc6067fea5bca0795eef`	affected	< f5f9e07060519e2287e99019a6de1eb3ebb65c37

Linux

affected

Version	Status	Constraints
`6.17`	affected	—
`0`	unaffected	< 6.17
`6.18.27`	unaffected	≤ 6.18.*
`7.0.4`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that contains the posted fix that protects raw_buffer from use after free
If a kernel upgrade cannot be performed immediately, disable the edt-ft5x06 debugfs entries by recompiling the kernel without debugfs support for this driver or by removing the module from use
Use system monitoring tools to watch for memory corruption or crash logs that could indicate exploitation attempts

Generated by OpenCVE AI on May 27, 2026 at 17:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/9f6c5e7b747d40e1c65cbfcb975857d25154c075
https://git.kernel.org/stable/c/a516d43886623e3cca5fa3446bed8fc7c7982be2
https://git.kernel.org/stable/c/f5f9e07060519e2287e99019a6de1eb3ebb65c37

History

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: Input: edt-ft5x06 - fix use-after-free in debugfs teardown The commit 68743c500c6e ("Input: edt-ft5x06 - use per-client debugfs directory") removed the manual debugfs teardown, relying on the I2C core to handle it. However, this creates a window where debugfs files are still accessible after edt_ft5x06_ts_teardown_debugfs() frees tsdata->raw_buffer. To prevent a use-after-free, protect the freeing of raw_buffer with the device mutex and set raw_buffer to NULL. The debugfs read function already checks if raw_buffer is NULL under the same mutex, so this safely avoids the use-after-free.
Title		Input: edt-ft5x06 - fix use-after-free in debugfs teardown
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/9f6c5e7b747d40e1c65cbfcb975857d25154c075 https://git.kernel.org/stable/c/a516d43886623e3cca5fa3446bed8fc7c7982be2 https://git.kernel.org/stable/c/f5f9e07060519e2287e99019a6de1eb3ebb65c37

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:58:59.100Z

Updated: 2026-05-27T12:58:59.100Z

Reserved: 2026-05-13T15:03:33.097Z

Link: CVE-2026-46097

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:31.333

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46097

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T18:00:15Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object