Description
In the Linux kernel, the following vulnerability has been resolved:

greybus: raw: fix use-after-free on cdev close

This addresses a use-after-free bug when a raw bundle is disconnected
but its chardev is still opened by an application. When the application
releases the cdev, it causes the following panic when init on free is
enabled (CONFIG_INIT_ON_FREE_DEFAULT_ON=y):

refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 139 at lib/refcount.c:28 refcount_warn_saturate+0xd0/0x130
...
Call Trace:
<TASK>
cdev_put+0x18/0x30
__fput+0x255/0x2a0
__x64_sys_close+0x3d/0x80
do_syscall_64+0xa4/0x290
entry_SYSCALL_64_after_hwframe+0x77/0x7f

The cdev is contained in the "gb_raw" structure, which is freed in the
disconnect operation. When the cdev is released at a later time,
cdev_put gets an address that points to freed memory.

To fix this use-after-free, convert the struct device from a pointer to
being embedded, that makes the lifetime of the cdev and of this device
the same. Then, use cdev_device_add, which guarantees that the device
won't be released until all references to the cdev have been released.
Finally, delegate the freeing of the structure to the device release
function, instead of freeing immediately in the disconnect callback.
Published: 2026-06-24
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel greybus raw driver contains a use‑after‑free bug (CWE‑825). When a raw bundle is disconnected, the associated character device (cdev) remains open. Closing the cdev after the bundle has been freed triggers a reference‑count underflow, causing a kernel panic. This results in a denial of service that can bring the entire system offline. The weakness arises from improper management of the lifecycle of the cdev and its enclosing device structure.

Affected Systems

Affected systems are Linux kernel builds that include the greybus raw driver and lack the patch commit that replaced the device pointer with an embedded struct. The vulnerability exists in any kernel version that has not incorporated the fix from commit 983cc2c7efb. The issue may affect a wide range of Linux‑based servers, desktops, and embedded devices that rely on greybus for USB‑device interactions.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity, and the EPSS score (< 1%) suggests a low likelihood of exploitation at the moment. The vulnerability is listed as not in the CISA KEV catalog. Based on the description, the likely attack vector is local; an attacker who can open the raw bundle device and trigger a disconnect can cause a kernel panic. No remote code execution or privilege escalation is achieved; the damage is limited to a service disruption of the host. The condition requires the device to have been disconnected while still held open, so the exploit is dependent on specific timing and local access.

Generated by OpenCVE AI on June 28, 2026 at 14:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the greybus raw driver use‑after‑free fix.
  • If upgrading is not immediately possible, disable or unload the greybus raw driver module and avoid using raw bundles until a patched kernel is available.
  • Temporarily disable the CONFIG_INIT_ON_FREE_DEFAULT_ON kernel configuration option to prevent the crash when the bug occurs.
  • Continuously monitor system logs for refcount warnings or kernel panic messages to detect any remaining issue.

Generated by OpenCVE AI on June 28, 2026 at 14:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 10:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Sat, 27 Jun 2026 00:15:00 +0000


Wed, 24 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: greybus: raw: fix use-after-free on cdev close This addresses a use-after-free bug when a raw bundle is disconnected but its chardev is still opened by an application. When the application releases the cdev, it causes the following panic when init on free is enabled (CONFIG_INIT_ON_FREE_DEFAULT_ON=y): refcount_t: underflow; use-after-free. WARNING: CPU: 0 PID: 139 at lib/refcount.c:28 refcount_warn_saturate+0xd0/0x130 ... Call Trace: <TASK> cdev_put+0x18/0x30 __fput+0x255/0x2a0 __x64_sys_close+0x3d/0x80 do_syscall_64+0xa4/0x290 entry_SYSCALL_64_after_hwframe+0x77/0x7f The cdev is contained in the "gb_raw" structure, which is freed in the disconnect operation. When the cdev is released at a later time, cdev_put gets an address that points to freed memory. To fix this use-after-free, convert the struct device from a pointer to being embedded, that makes the lifetime of the cdev and of this device the same. Then, use cdev_device_add, which guarantees that the device won't be released until all references to the cdev have been released. Finally, delegate the freeing of the structure to the device release function, instead of freeing immediately in the disconnect callback.
Title greybus: raw: fix use-after-free on cdev close
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:38:09.244Z

Reserved: 2026-06-09T07:44:35.379Z

Link: CVE-2026-53025

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53025 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:45:17Z

Weaknesses
  • CWE-825

    Expired Pointer Dereference