CVE-2026-46285 - Vulnerability Details

- mtd: docg3: fix use-after-free in docg3_release()

Description

In the Linux kernel, the following vulnerability has been resolved:

mtd: docg3: fix use-after-free in docg3_release()

In docg3_release(), the docg3 pointer is obtained from
cascade->floors[0]->priv before the loop that calls
doc_release_device() on each floor. doc_release_device() frees the
docg3 struct via kfree(docg3) at line 1881. After the loop,
docg3->cascade->bch dereferences the already-freed pointer.

Fix this by accessing cascade->bch directly, which is equivalent
since docg3->cascade points back to the same cascade struct, and
is already available as a local variable. This also removes the
now-unused docg3 local variable.

Published: 2026-06-08

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The report identifies a use‑after‑free condition in the Linux kernel’s MTD docg3 subsystem, specifically within the docg3_release() routine. After freeing floor devices with doc_release_device(), the code dereferences a pointer that points to the already-freed docg3 structure, leading to undefined behavior that can corrupt kernel memory or cause a crash. The weakness is a classic use‑after‑free flaw (CWE‑416). While the description does not explicitly state the required privileges, it is inferred that the exploit would need local kernel‑mode execution, such as a privileged user or a kernel module that can trigger the vulnerable function.

Affected Systems

This defect resides in the upstream Linux kernel and therefore applies to any distribution that compiles the kernel with the unpatched docg3_release() code. No specific releases are listed, so any kernel built from the affected source tree prior to the commit series that introduces the fix is at risk. The only vendor explicitly mentioned is the Linux kernel project.

Risk and Exploitability

Because the anomaly occurs in kernel code, it can provide an attacker with the ability to corrupt critical data structures or execute arbitrary code with kernel privileges once a local foothold is achieved. The CVSS score is not published, but the nature of a kernel use‑after‑free bug implies a high severity. The EPSS score is not available, and the vulnerability is not catalogued in the CISA KEV list. Even without an advertised remote exploit, the combination of a kernel bug and the ability to gain local kernel execution is sufficient for an attacker to abuse this flaw if the system lacks other mitigation layers.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`c8ae3f744ddca0da164bcacee42d1d4b6fe7027d`	affected	< 8408655ec8344511667b61d8257dc59c80ee3391
`c8ae3f744ddca0da164bcacee42d1d4b6fe7027d`	affected	< f5d2ed4ed47d3906e2495a3537a48b127f497a17
`c8ae3f744ddca0da164bcacee42d1d4b6fe7027d`	affected	< 2bf706fe7831b319f23a85b9728f961cfed40c3e
`c8ae3f744ddca0da164bcacee42d1d4b6fe7027d`	affected	< d26f8c361f751c188b7ebaf8189aa0258968fd98
`c8ae3f744ddca0da164bcacee42d1d4b6fe7027d`	affected	< 16f6588a3b7a2a20d10ad9b766be74c60ba347cc
`c8ae3f744ddca0da164bcacee42d1d4b6fe7027d`	affected	< d89044889ecd11b0c2f86663597246e9bdd25679
`c8ae3f744ddca0da164bcacee42d1d4b6fe7027d`	affected	< d49628d63d4e6bbc8a1621afb88e5fc901611bee
`c8ae3f744ddca0da164bcacee42d1d4b6fe7027d`	affected	< ca19808bc6fac7e29420d8508df569b346b3e339

Linux

affected

Version	Status	Constraints
`5.8`	affected	—
`0`	unaffected	< 5.8
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.140`	unaffected	≤ 6.6.*
`6.12.86`	unaffected	≤ 6.12.*
`6.18.27`	unaffected	≤ 6.18.*
`7.0.4`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[c8ae3f744ddca0da164bcacee42d1d4b6fe7027d,8408655ec8344511667b61d8257dc59c80ee3391)`	affected	code_commit	—
`[c8ae3f744ddca0da164bcacee42d1d4b6fe7027d,f5d2ed4ed47d3906e2495a3537a48b127f497a17)`	affected	code_commit	—
`[c8ae3f744ddca0da164bcacee42d1d4b6fe7027d,2bf706fe7831b319f23a85b9728f961cfed40c3e)`	affected	code_commit	—
`[c8ae3f744ddca0da164bcacee42d1d4b6fe7027d,d26f8c361f751c188b7ebaf8189aa0258968fd98)`	affected	code_commit	—
`[c8ae3f744ddca0da164bcacee42d1d4b6fe7027d,16f6588a3b7a2a20d10ad9b766be74c60ba347cc)`	affected	code_commit	—
`[c8ae3f744ddca0da164bcacee42d1d4b6fe7027d,d89044889ecd11b0c2f86663597246e9bdd25679)`	affected	code_commit	—
`[c8ae3f744ddca0da164bcacee42d1d4b6fe7027d,d49628d63d4e6bbc8a1621afb88e5fc901611bee)`	affected	code_commit	—
`[c8ae3f744ddca0da164bcacee42d1d4b6fe7027d,ca19808bc6fac7e29420d8508df569b346b3e339)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.8`	affected	generic	—
`[0,5.8)`	unaffected	generic	—
`[5.10.258,5.10.*]`	unaffected	generic	—
`[5.15.209,5.15.*]`	unaffected	generic	—
`[6.1.175,6.1.*]`	unaffected	generic	—
`[6.6.140,6.6.*]`	unaffected	generic	—
`[6.12.86,6.12.*]`	unaffected	generic	—
`[6.18.27,6.18.*]`	unaffected	generic	—
`[7.0.4,7.0.*]`	unaffected	generic	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest kernel patch that includes the commit series fixing the use‑after‑free in docg3_release(); the relevant patches are referenced in the advisory commit logs (e.g., https://git.kernel.org/stable/c/16f6588a3b7a2a20d10ad9b766be74c60ba347cc).
If an immediate kernel upgrade is not feasible, disable the MTD docg3 subsystem during kernel configuration or replace the buggy implementation with the corrected code that accesses cascade->bch directly rather than dereferencing a freed pointer.
After applying the patch or disabling the subsystem, monitor the kernel logs (dmesg, /var/log/kern.log) for indications of memory corruption, panics, or abnormal behavior in the MTD subsystem and ensure the kernel reports no further use‑after‑free attempts.

Generated by OpenCVE AI on June 8, 2026 at 19:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/16f6588a3b7a2a20d10ad9b766be74c60ba347cc
https://git.kernel.org/stable/c/2bf706fe7831b319f23a85b9728f961cfed40c3e
https://git.kernel.org/stable/c/8408655ec8344511667b61d8257dc59c80ee3391
https://git.kernel.org/stable/c/ca19808bc6fac7e29420d8508df569b346b3e339
https://git.kernel.org/stable/c/d26f8c361f751c188b7ebaf8189aa0258968fd98
https://git.kernel.org/stable/c/d49628d63d4e6bbc8a1621afb88e5fc901611bee
https://git.kernel.org/stable/c/d89044889ecd11b0c2f86663597246e9bdd25679
https://git.kernel.org/stable/c/f5d2ed4ed47d3906e2495a3537a48b127f497a17
https://lore.kernel.org/linux-cve-announce/2026060843-CVE-2026-46285-0239@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46285
https://www.cve.org/CVERecord?id=CVE-2026-46285

History

Tue, 09 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-825
References		https://lore.kernel.org/linux-cve-announce/2026060843-CVE-2026-46285-0239@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46285 https://www.cve.org/CVERecord?id=CVE-2026-46285

Mon, 08 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Mon, 08 Jun 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: mtd: docg3: fix use-after-free in docg3_release() In docg3_release(), the docg3 pointer is obtained from cascade->floors[0]->priv before the loop that calls doc_release_device() on each floor. doc_release_device() frees the docg3 struct via kfree(docg3) at line 1881. After the loop, docg3->cascade->bch dereferences the already-freed pointer. Fix this by accessing cascade->bch directly, which is equivalent since docg3->cascade points back to the same cascade struct, and is already available as a local variable. This also removes the now-unused docg3 local variable.
Title		mtd: docg3: fix use-after-free in docg3_release()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/16f6588a3b7a2a20d10ad9b766be74c60ba347cc https://git.kernel.org/stable/c/2bf706fe7831b319f23a85b9728f961cfed40c3e https://git.kernel.org/stable/c/8408655ec8344511667b61d8257dc59c80ee3391 https://git.kernel.org/stable/c/ca19808bc6fac7e29420d8508df569b346b3e339 https://git.kernel.org/stable/c/d26f8c361f751c188b7ebaf8189aa0258968fd98 https://git.kernel.org/stable/c/d49628d63d4e6bbc8a1621afb88e5fc901611bee https://git.kernel.org/stable/c/d89044889ecd11b0c2f86663597246e9bdd25679 https://git.kernel.org/stable/c/f5d2ed4ed47d3906e2495a3537a48b127f497a17

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-08T15:41:28.566Z

Updated: 2026-06-08T15:41:28.566Z

Reserved: 2026-05-13T15:03:33.110Z

Link: CVE-2026-46285

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-08T17:16:46.347

Modified: 2026-06-08T17:16:46.347

Link: CVE-2026-46285

Redhat

Severity :

Publid Date: 2026-06-08T00:00:00Z

Links: CVE-2026-46285 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-08T19:45:31Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object