Description
In the Linux kernel, the following vulnerability has been resolved:

mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock

Patch series "mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path".

Reads of 'memcg_path' and 'path' files in DAMON sysfs interface could race
with their writes, results in use-after-free. Fix those.


This patch (of 2):

damon_sysfs_scheme_filter->mmecg_path can be read and written by users,
via DAMON sysfs memcg_path file. It can also be indirectly read, for the
parameters {on,off}line committing to DAMON. The reads for parameters
committing are protected by damon_sysfs_lock to avoid the sysfs files
being destroyed while any of the parameters are being read. But the
user-driven direct reads and writes are not protected by any lock, while
the write is deallocating the memcg_path-pointing buffer. As a result,
the readers could read the already freed buffer (user-after-free). Note
that the user-reads don't race when the same open file is used by the
writer, due to kernfs's open file locking. Nonetheless, doing the reads
and writes with separate open files would be common. Fix it by protecting
both the user-direct reads and writes with damon_sysfs_lock.
Published: 2026-05-28
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a race condition between reads and writes to the 'memcg_path' and 'path' files in the DAMON sysfs interface. A write operation deallocates the buffer that holds the path while a separate read may access the freed memory, resulting in a use‑after‑free. This can lead to kernel memory corruption but does not provide an immediate code execution path.

Affected Systems

The flaw exists in the Linux kernel for all releases for which the patch has not yet been applied. No specific kernel versions are listed as affected; the vulnerability is identified generally across the Linux platform.

Risk and Exploitability

The CVSS score is 7.0, indicating high severity, and the EPSS score is < 1%, which suggests a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack requires a local user with the ability to read and write the /sys/kernel/damon/memcg_path file, typically meaning root or a user with elevated rights. The race condition makes the issue exploitable when reads and writes are performed via separate open file descriptors, which is a common usage pattern. If a successful attempt is made, it could lead to kernel memory corruption, potentially disrupting system operation or compromising system integrity.

Generated by OpenCVE AI on May 29, 2026 at 02:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that incorporates the damon_sysfs_lock fix, such as the latest stable release of the 6.x series.
  • If an upgrade is not immediately possible, cherry–pick the commits identified in the provided git links (c/1e68eb96, c/b1e9f2d5, c/baecc45, c/c88802d0, c/eafd6f53) into your kernel source, rebuild, and reboot.
  • As a temporary safeguard when you cannot modify the kernel, restrict write access to /sys/kernel/damon/memcg_path by setting file permissions to root only or by disabling the DAMON sysfs interface if it is not required for your workloads.

Generated by OpenCVE AI on May 29, 2026 at 02:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Thu, 28 May 2026 11:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock Patch series "mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path". Reads of 'memcg_path' and 'path' files in DAMON sysfs interface could race with their writes, results in use-after-free. Fix those. This patch (of 2): damon_sysfs_scheme_filter->mmecg_path can be read and written by users, via DAMON sysfs memcg_path file. It can also be indirectly read, for the parameters {on,off}line committing to DAMON. The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read. But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the memcg_path-pointing buffer. As a result, the readers could read the already freed buffer (user-after-free). Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking. Nonetheless, doing the reads and writes with separate open files would be common. Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.
Title mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:55:59.503Z

Reserved: 2026-05-13T15:03:33.098Z

Link: CVE-2026-46121

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:27.600

Modified: 2026-05-28T13:44:01.663

Link: CVE-2026-46121

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46121 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T02:30:33Z

Weaknesses
  • CWE-367

    Time-of-check Time-of-use (TOCTOU) Race Condition

  • CWE-416

    Use After Free