CVE-2026-46285
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
08/06/2026
Last modified:
08/07/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
mtd: docg3: fix use-after-free in docg3_release()<br />
<br />
In docg3_release(), the docg3 pointer is obtained from<br />
cascade->floors[0]->priv before the loop that calls<br />
doc_release_device() on each floor. doc_release_device() frees the<br />
docg3 struct via kfree(docg3) at line 1881. After the loop,<br />
docg3->cascade->bch dereferences the already-freed pointer.<br />
<br />
Fix this by accessing cascade->bch directly, which is equivalent<br />
since docg3->cascade points back to the same cascade struct, and<br />
is already available as a local variable. This also removes the<br />
now-unused docg3 local variable.
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.8 (including) | 5.10.258 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.209 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.175 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.140 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.86 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.18.27 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (including) | 7.0.4 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/16f6588a3b7a2a20d10ad9b766be74c60ba347cc
- https://git.kernel.org/stable/c/2bf706fe7831b319f23a85b9728f961cfed40c3e
- https://git.kernel.org/stable/c/8408655ec8344511667b61d8257dc59c80ee3391
- https://git.kernel.org/stable/c/ca19808bc6fac7e29420d8508df569b346b3e339
- https://git.kernel.org/stable/c/d26f8c361f751c188b7ebaf8189aa0258968fd98
- https://git.kernel.org/stable/c/d49628d63d4e6bbc8a1621afb88e5fc901611bee
- https://git.kernel.org/stable/c/d89044889ecd11b0c2f86663597246e9bdd25679
- https://git.kernel.org/stable/c/f5d2ed4ed47d3906e2495a3537a48b127f497a17



