CVE-2026-46288 - Vulnerability Details

- of: unittest: fix use-after-free in of_unittest_changeset()

Description

In the Linux kernel, the following vulnerability has been resolved:

of: unittest: fix use-after-free in of_unittest_changeset()

The variable 'parent' is assigned the value of 'nchangeset' earlier in the
function, meaning both point to the same struct device_node. The call to
of_node_put(nchangeset) can decrement the reference count to zero and
free the node if there are no other holders. After that, the code still
uses 'parent' to check for the presence of a property and to read a
string property, leading to a use-after-free.

Fix this by moving the of_node_put() call after the last access to
'parent', avoiding the UAF.

Published: 2026-06-08

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a use‑after‑free in the function of_unittest_changeset() within the Linux kernel. After the reference count of a device node is decremented, the node may be freed while the code continues to use the same pointer to read properties. This can corrupt memory and, because the code runs with kernel privileges, may allow the execution of arbitrary code at privileged levels.

Affected Systems

All Linux kernel builds that contain the unpatched version of of_unittest_changeset(). The vendor list indicates generic Linux kernels with no specific version range supplied, so any installation of the kernel that has not yet incorporated the fix commit is potentially vulnerable.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in CISA KEV. The use‑after‑free occurs in critical kernel code, giving it high severity. It is exploitable locally by code that triggers the function—such as malicious modules, testing tools, or other privileged processes. As the flaw occurs in privileged kernel context, successful exploitation can lead to total system compromise. The likely attack vector is local privilege escalation or a trusted module that can invoke the buggy path.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1c668ea65506e67ce2eae07b69bb09fcdd86e309`	affected	< 37318d1a27c9cc5a70d3cd7e49e30ec86f2b8ca1
`1c668ea65506e67ce2eae07b69bb09fcdd86e309`	affected	< 7f0f0926f3010b10cff5e93446258f971e42f2fd
`1c668ea65506e67ce2eae07b69bb09fcdd86e309`	affected	< 6fdad20b7975bdc32e85b45f8f7c640f6687b81f
`1c668ea65506e67ce2eae07b69bb09fcdd86e309`	affected	< faecdd423c27f0d6090156a435ba9dbbac0eaddb

Linux

affected

Version	Status	Constraints
`6.12`	affected	—
`0`	unaffected	< 6.12
`6.12.86`	unaffected	≤ 6.12.*
`6.18.27`	unaffected	≤ 6.18.*
`7.0.4`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1c668ea65506e67ce2eae07b69bb09fcdd86e309,37318d1a27c9cc5a70d3cd7e49e30ec86f2b8ca1)`	affected	code_commit	—
`[1c668ea65506e67ce2eae07b69bb09fcdd86e309,7f0f0926f3010b10cff5e93446258f971e42f2fd)`	affected	code_commit	—
`[1c668ea65506e67ce2eae07b69bb09fcdd86e309,6fdad20b7975bdc32e85b45f8f7c640f6687b81f)`	affected	code_commit	—
`[1c668ea65506e67ce2eae07b69bb09fcdd86e309,faecdd423c27f0d6090156a435ba9dbbac0eaddb)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.12`	affected	generic	—
`[0,6.12)`	unaffected	generic	—
`[6.12.86,6.13.0)`	unaffected	semver	—
`[6.18.27,6.19.0)`	unaffected	semver	—
`[7.0.4,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install a Linux kernel version that contains the commit moving the of_node_put() call after the final use of the parent pointer.
Reboot the system so that the updated kernel is running.
As an interim precaution, restrict loading of kernel modules or disable functionality that can trigger the of_unittest_changeset() code path until the patch is applied.

Generated by OpenCVE AI on June 9, 2026 at 03:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/37318d1a27c9cc5a70d3cd7e49e30ec86f2b8ca1
https://git.kernel.org/stable/c/6fdad20b7975bdc32e85b45f8f7c640f6687b81f
https://git.kernel.org/stable/c/7f0f0926f3010b10cff5e93446258f971e42f2fd
https://git.kernel.org/stable/c/faecdd423c27f0d6090156a435ba9dbbac0eaddb
https://lore.kernel.org/linux-cve-announce/2026060844-CVE-2026-46288-76f3@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46288
https://www.cve.org/CVERecord?id=CVE-2026-46288

History

Tue, 09 Jun 2026 02:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416

Tue, 09 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-911
References		https://lore.kernel.org/linux-cve-announce/2026060844-CVE-2026-46288-76f3@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46288 https://www.cve.org/CVERecord?id=CVE-2026-46288

Mon, 08 Jun 2026 20:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Mon, 08 Jun 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: of: unittest: fix use-after-free in of_unittest_changeset() The variable 'parent' is assigned the value of 'nchangeset' earlier in the function, meaning both point to the same struct device_node. The call to of_node_put(nchangeset) can decrement the reference count to zero and free the node if there are no other holders. After that, the code still uses 'parent' to check for the presence of a property and to read a string property, leading to a use-after-free. Fix this by moving the of_node_put() call after the last access to 'parent', avoiding the UAF.
Title		of: unittest: fix use-after-free in of_unittest_changeset()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/37318d1a27c9cc5a70d3cd7e49e30ec86f2b8ca1 https://git.kernel.org/stable/c/6fdad20b7975bdc32e85b45f8f7c640f6687b81f https://git.kernel.org/stable/c/7f0f0926f3010b10cff5e93446258f971e42f2fd https://git.kernel.org/stable/c/faecdd423c27f0d6090156a435ba9dbbac0eaddb

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-08T15:41:31.868Z

Updated: 2026-06-08T15:41:31.868Z

Reserved: 2026-05-13T15:03:33.110Z

Link: CVE-2026-46288

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-08T17:16:46.957

Modified: 2026-06-08T17:16:46.957

Link: CVE-2026-46288

Redhat

Severity :

Publid Date: 2026-06-08T00:00:00Z

Links: CVE-2026-46288 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-09T03:45:26Z

Weaknesses

CWE-911

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object