CVE-2026-46280
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
08/06/2026
Last modified:
08/07/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
lib: test_hmm: evict device pages on file close to avoid use-after-free<br />
<br />
Patch series "Minor hmm_test fixes and cleanups".<br />
<br />
Two bugfixes a cleanup for the HMM kernel selftests. These were mostly<br />
reported by Zenghui Yu with special thanks to Lorenzo for analysing and<br />
pointing out the problems.<br />
<br />
<br />
This patch (of 3):<br />
<br />
When dmirror_fops_release() is called it frees the dmirror struct but<br />
doesn&#39;t migrate device private pages back to system memory first. This<br />
leaves those pages with a dangling zone_device_data pointer to the freed<br />
dmirror.<br />
<br />
If a subsequent fault occurs on those pages (eg. during coredump) the<br />
dmirror_devmem_fault() callback dereferences the stale pointer causing a<br />
kernel panic. This was reported [1] when running mm/ksft_hmm.sh on arm64,<br />
where a test failure triggered SIGABRT and the resulting coredump walked<br />
the VMAs faulting in the stale device private pages.<br />
<br />
Fix this by calling dmirror_device_evict_chunk() for each devmem chunk in<br />
dmirror_fops_release() to migrate all device private pages back to system<br />
memory before freeing the dmirror struct. The function is moved earlier<br />
in the file to avoid a forward declaration.
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.8 (including) | 6.1.176 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.140 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.86 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.18.27 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (including) | 7.0.4 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/234071b4318feaeb27cd2e4e1b16ef6b055adf89
- https://git.kernel.org/stable/c/38f113f81d3f0adc658a4475dd3ecaec985e21d3
- https://git.kernel.org/stable/c/5846715b6382dd4c6a69b35a56ca6115d33bc2a0
- https://git.kernel.org/stable/c/744dd97752ef1076a8d8672bb0d8aa2c7abc1144
- https://git.kernel.org/stable/c/9de1eb0aac2862d6144b8db0ec1388e79f8bc3e1
- https://git.kernel.org/stable/c/bf477abd448c76bb8ea51c9b4f63a3a17c4b6239



