Description
In the Linux kernel, the following vulnerability has been resolved:

greybus: raw: fix use-after-free on cdev close

This addresses a use-after-free bug when a raw bundle is disconnected
but its chardev is still opened by an application. When the application
releases the cdev, it causes the following panic when init on free is
enabled (CONFIG_INIT_ON_FREE_DEFAULT_ON=y):

refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 139 at lib/refcount.c:28 refcount_warn_saturate+0xd0/0x130
...
Call Trace:
<TASK>
cdev_put+0x18/0x30
__fput+0x255/0x2a0
__x64_sys_close+0x3d/0x80
do_syscall_64+0xa4/0x290
entry_SYSCALL_64_after_hwframe+0x77/0x7f

The cdev is contained in the "gb_raw" structure, which is freed in the
disconnect operation. When the cdev is released at a later time,
cdev_put gets an address that points to freed memory.

To fix this use-after-free, convert the struct device from a pointer to
being embedded, that makes the lifetime of the cdev and of this device
the same. Then, use cdev_device_add, which guarantees that the device
won't be released until all references to the cdev have been released.
Finally, delegate the freeing of the structure to the device release
function, instead of freeing immediately in the disconnect callback.
Published: 2026-06-24
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free bug exists in the Linux kernel greybus raw driver. When a raw bundle is disconnected while an application still holds an open handle to its character device, closing that device triggers a reference‑count underflow in the kernel’s refcount module. This leads to a kernel panic that can bring the host offline, effectively denying service to all users on the affected system.

Affected Systems

The affected component is the Linux kernel greybus raw driver module. Any Linux kernel build that includes the greybus raw driver and contains a version before the fix satisfies the vulnerability requirement. Specific version numbers are not listed in the data, but the vulnerability is present in kernels prior to the patch commit referenced in the advisories.

Risk and Exploitability

The CVSS metric is not provided, and the EPSS score is unavailable; KEV does not list this vulnerability. The likely attack vector is local; an attacker who can open the raw bundle device and trigger a disconnect can cause the kernel to crash. No publicly documented exploits exist, and the vulnerability results in a denial of service rather than privilege escalation or remote code execution.

Generated by OpenCVE AI on June 24, 2026 at 20:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the greybus raw driver use‑after‑free fix.
  • If upgrading is not immediately possible, disable or unload the greybus raw device module and avoid using raw bundles until a patched kernel is available.
  • Continuously monitor system logs for refcount warnings or kernel panic messages to detect if the issue remains present.

Generated by OpenCVE AI on June 24, 2026 at 20:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: greybus: raw: fix use-after-free on cdev close This addresses a use-after-free bug when a raw bundle is disconnected but its chardev is still opened by an application. When the application releases the cdev, it causes the following panic when init on free is enabled (CONFIG_INIT_ON_FREE_DEFAULT_ON=y): refcount_t: underflow; use-after-free. WARNING: CPU: 0 PID: 139 at lib/refcount.c:28 refcount_warn_saturate+0xd0/0x130 ... Call Trace: <TASK> cdev_put+0x18/0x30 __fput+0x255/0x2a0 __x64_sys_close+0x3d/0x80 do_syscall_64+0xa4/0x290 entry_SYSCALL_64_after_hwframe+0x77/0x7f The cdev is contained in the "gb_raw" structure, which is freed in the disconnect operation. When the cdev is released at a later time, cdev_put gets an address that points to freed memory. To fix this use-after-free, convert the struct device from a pointer to being embedded, that makes the lifetime of the cdev and of this device the same. Then, use cdev_device_add, which guarantees that the device won't be released until all references to the cdev have been released. Finally, delegate the freeing of the structure to the device release function, instead of freeing immediately in the disconnect callback.
Title greybus: raw: fix use-after-free on cdev close
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:29:33.971Z

Reserved: 2026-06-09T07:44:35.379Z

Link: CVE-2026-53025

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T21:00:11Z

Weaknesses