Description
In the Linux kernel, the following vulnerability has been resolved:

mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock

damon_sysfs_quot_goal->path can be read and written by users, via DAMON
sysfs 'path' file. It can also be indirectly read, for the parameters
{on,off}line committing to DAMON. The reads for parameters committing are
protected by damon_sysfs_lock to avoid the sysfs files being destroyed
while any of the parameters are being read. But the user-driven direct
reads and writes are not protected by any lock, while the write is
deallocating the path-pointing buffer. As a result, the readers could
read the already freed buffer (user-after-free). Note that the user-reads
don't race when the same open file is used by the writer, due to kernfs's
open file locking. Nonetheless, doing the reads and writes with separate
open files would be common. Fix it by protecting both the user-direct
reads and writes with damon_sysfs_lock.
Published: 2026-05-28
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when the DAMON sysfs interface reads and writes the path value. A write operation frees the buffer that holds the path but is not protected by damon_sysfs_lock, so a concurrent user read that operates on a different file descriptor can see the freed memory, resulting in a kernel user-after‑free. This can cause kernel memory corruption, a crash, or information leakage. The flaw stems from a double‑free and subsequent use‑after‑free, which fall under CWE-415 and CWE-413 respectively. The text does not state privilege escalation, and therefore that outcome is not explicitly supported.

Affected Systems

Linux kernel versions that ship the DAMON sysfs path implementation without the damon_sysfs_lock protection are affected. The CVE does not specify a version range, but any kernel containing the original damon_sysfs_path code before the referenced commits is vulnerable.

Risk and Exploitability

The flaw is a local kernel use‑after‑free that requires a user able to write to the DAMON sysfs "path" attribute and a race between a write and a read on separate file descriptors. Because the vulnerability is characterized as a double‑free (CWE‑415) followed by a use‑after‑free (CWE‑413), the potential for kernel memory corruption is significant. The CVSS score of 7.8 categorizes the issue as high severity. Exploitability is moderate due to this race condition, but the impact is high because of kernel memory corruption. The EPSS score is <1% and the vulnerability is not listed in CISA KEV, indicating limited known exploitation, yet systems exposing the DAMON sysfs interface to non‑privileged users pose a significant risk.

Generated by OpenCVE AI on June 11, 2026 at 04:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that adds damon_sysfs_lock protection to both reads and writes of the DAMON path sysfs attribute, as referenced in the commit logs.
  • If an updated kernel is not available, restrict write access on the DAMON sysfs files (for example, /sys/kernel/damon/path) so that only privileged users can modify them.
  • If a patch or permission restriction cannot be implemented, consider disabling the DAMON feature or removing its sysfs interface.

Generated by OpenCVE AI on June 11, 2026 at 04:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415
CPEs cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 29 May 2026 04:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-413
References

Thu, 28 May 2026 13:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock damon_sysfs_quot_goal->path can be read and written by users, via DAMON sysfs 'path' file. It can also be indirectly read, for the parameters {on,off}line committing to DAMON. The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read. But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the path-pointing buffer. As a result, the readers could read the already freed buffer (user-after-free). Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking. Nonetheless, doing the reads and writes with separate open files would be common. Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.
Title mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T18:00:54.954Z

Reserved: 2026-05-13T15:03:33.103Z

Link: CVE-2026-46183

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T10:16:33.933

Modified: 2026-06-11T03:01:10.963

Link: CVE-2026-46183

cve-icon Redhat

Severity :

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46183 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T04:30:04Z

Weaknesses