Description
In the Linux kernel, the following vulnerability has been resolved:

greybus: raw: fix use-after-free if write is called after disconnect

If a user writes to the chardev after disconnect has been called, the
kernel panics with the following trace (with
CONFIG_INIT_ON_FREE_DEFAULT_ON=y):

BUG: kernel NULL pointer dereference, address: 0000000000000218
...
Call Trace:
<TASK>
gb_operation_create_common+0x61/0x180
gb_operation_create_flags+0x28/0xa0
gb_operation_sync_timeout+0x6f/0x100
raw_write+0x7b/0xc7 [gb_raw]
vfs_write+0xcf/0x420
? task_mm_cid_work+0x136/0x220
ksys_write+0x63/0xe0
do_syscall_64+0xa4/0x290
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Disconnect calls gb_connection_destroy, which ends up freeing the
connection object. When gb_operation_sync is called in the write file
operations, its gets a freed connection as parameter and the kernel
panics.

The gb_connection_destroy cannot be moved out of the disconnect
function, as the Greybus subsystem expect all connections belonging to a
bundle to be destroyed when disconnect returns.

To prevent this bug, use a rw lock to synchronize access between write
and disconnect. This guarantees that the write function doesn't try
to use a disconnected connection.
Published: 2026-06-24
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free condition exists in the Greybus raw driver of the Linux kernel. When a disconnect frees a connection object while a concurrent write still references it, the kernel dereferences a null pointer and panics. This is a classic memory corruption flaw (CWE‑416) that can abruptly bring the system down.

Affected Systems

All Linux kernel variants that include the Greybus raw subsystem before the fix identified by commit 48d6c32bc049abd114e8f0836c0e7d7cbfba7827. No vendor‑specific product list is provided, and the CPE tracks the generic Linux kernel.

Risk and Exploitability

The flaw produces a local denial‑of‑service; the attacker must be able to issue write calls to the device file after the connection has been disconnected. Based on the description, it is inferred that this requires local write access to the Greybus raw character device, a privilege that is typically limited to root or privileged processes. EPSS data is not available and the vulnerability is not catalogued in CISA's KEV list, suggesting no publicly known exploits yet. Nevertheless, a kernel panic is severe enough to warrant prompt patching.

Generated by OpenCVE AI on June 24, 2026 at 19:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that incorporates the greybus use‑after‑free fix (commit 48d6c32bc049abd114e8f0836c0e7d7cbfba7827).
  • Disable or remove the Greybus raw module if an update cannot be applied, thereby eliminating the vulnerable character device.
  • Restrict write permissions on the Greybus raw device file to only privileged users to prevent accidental or malicious writes after a disconnect.

Generated by OpenCVE AI on June 24, 2026 at 19:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: greybus: raw: fix use-after-free if write is called after disconnect If a user writes to the chardev after disconnect has been called, the kernel panics with the following trace (with CONFIG_INIT_ON_FREE_DEFAULT_ON=y): BUG: kernel NULL pointer dereference, address: 0000000000000218 ... Call Trace: <TASK> gb_operation_create_common+0x61/0x180 gb_operation_create_flags+0x28/0xa0 gb_operation_sync_timeout+0x6f/0x100 raw_write+0x7b/0xc7 [gb_raw] vfs_write+0xcf/0x420 ? task_mm_cid_work+0x136/0x220 ksys_write+0x63/0xe0 do_syscall_64+0xa4/0x290 entry_SYSCALL_64_after_hwframe+0x77/0x7f Disconnect calls gb_connection_destroy, which ends up freeing the connection object. When gb_operation_sync is called in the write file operations, its gets a freed connection as parameter and the kernel panics. The gb_connection_destroy cannot be moved out of the disconnect function, as the Greybus subsystem expect all connections belonging to a bundle to be destroyed when disconnect returns. To prevent this bug, use a rw lock to synchronize access between write and disconnect. This guarantees that the write function doesn't try to use a disconnected connection.
Title greybus: raw: fix use-after-free if write is called after disconnect
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:29:33.184Z

Reserved: 2026-06-09T07:44:35.379Z

Link: CVE-2026-53024

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T19:45:05Z

Weaknesses