Description
In the Linux kernel, the following vulnerability has been resolved:

mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock

Patch series "mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path".

Reads of 'memcg_path' and 'path' files in DAMON sysfs interface could race
with their writes, results in use-after-free. Fix those.


This patch (of 2):

damon_sysfs_scheme_filter->mmecg_path can be read and written by users,
via DAMON sysfs memcg_path file. It can also be indirectly read, for the
parameters {on,off}line committing to DAMON. The reads for parameters
committing are protected by damon_sysfs_lock to avoid the sysfs files
being destroyed while any of the parameters are being read. But the
user-driven direct reads and writes are not protected by any lock, while
the write is deallocating the memcg_path-pointing buffer. As a result,
the readers could read the already freed buffer (user-after-free). Note
that the user-reads don't race when the same open file is used by the
writer, due to kernfs's open file locking. Nonetheless, doing the reads
and writes with separate open files would be common. Fix it by protecting
both the user-direct reads and writes with damon_sysfs_lock.
Published: 2026-05-28
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a race condition between reads and writes to the 'memcg_path' and 'path' files in the DAMON sysfs interface. A write operation deallocates the buffer that holds the path while a separate read can still access the deallocated memory. This results in a use‑after‑free condition that can corrupt kernel memory if an attacker can control the memory layout. The flaw does not provide immediate executable code but yields significant exploitability in a local privileged context.

Affected Systems

The flaw exists in the Linux kernel for all releases for which the patch has not yet been applied. No specific kernel versions are listed as affected; the vulnerability is identified generally across the Linux platform.

Risk and Exploitability

The CVSS score is not disclosed in the available data, and no EPSS value is provided, so the likelihood of exploitation remains uncertain. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack requires a local user with the ability to read and write the /sys/kernel/damon/memcg_path file, typically meaning root or a user with elevated rights. The race condition makes the issue exploitable when reads and writes are performed via separate open file descriptors, which is a common usage pattern. If successfully exploited, an attacker could corrupt kernel memory and potentially gain higher privileges or crash the system.

Generated by OpenCVE AI on May 28, 2026 at 11:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that incorporates the damon_sysfs_lock fix, such as the latest stable release of the 6.x series.
  • If an upgrade is not immediately possible, cherry–pick the commits identified in the provided git links (c/1e68eb96, c/b1e9f2d5, c/baecc45, c/c88802d0, c/eafd6f53) into your kernel source, rebuild, and reboot.
  • As a temporary safeguard when you cannot modify the kernel, restrict write access to /sys/kernel/damon/memcg_path by setting file permissions to root only or by disabling the DAMON sysfs interface if it is not required for your workloads.

Generated by OpenCVE AI on May 28, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 11:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock Patch series "mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path". Reads of 'memcg_path' and 'path' files in DAMON sysfs interface could race with their writes, results in use-after-free. Fix those. This patch (of 2): damon_sysfs_scheme_filter->mmecg_path can be read and written by users, via DAMON sysfs memcg_path file. It can also be indirectly read, for the parameters {on,off}line committing to DAMON. The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read. But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the memcg_path-pointing buffer. As a result, the readers could read the already freed buffer (user-after-free). Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking. Nonetheless, doing the reads and writes with separate open files would be common. Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.
Title mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-28T09:35:36.292Z

Reserved: 2026-05-13T15:03:33.098Z

Link: CVE-2026-46121

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-28T10:16:27.600

Modified: 2026-05-28T10:16:27.600

Link: CVE-2026-46121

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T12:00:12Z

Weaknesses